Released on = January 10, 2006, 2:36 am

Press Release Author = Sofizar

Industry =

Press Release Summary = Geotargeting or location based advertisement display
vulnerability allows malicious robots or users to commit PPC Click Fraud

Press Release Body = Sofizar Inc - Sofizar, a company specializing in Click Fraud
Detection Services announced today that it has identified a vulnerability in
Google's Pay Per Click (PPC) location based advertisements. The Google location
based service is meant to display Pay Per Click (PPC) advertisements only in the
advertiser designated locations. However, a back door allows a malicious user or
automated programs in a non designated area to click on the advertisement,
potentially causing grievous losses. Furthermore, Google charges the advertisers for
these clicks, even though Google does not record the advertisement impression. This
vulnerability has been reported to Google.

The location based Google service is designed to display targeted advertisements to
users from a certain region. For example, a ticket broker who needs to sell wicked
tickets in New York City does not want her advertisement to be displayed in New
Delhi. The pay per click advertisements to a non target audience can be extremely
costly, and AdWords PPC advertisers use Google's facilities to designate countries
(and in some cases cities) where their advertisements can be displayed. However,
this vulnerability allows a hacker in Beijing to see and click on advertisements
meant for a Las Vegas audience. Some advertisers pay up to $35 every time a user
clicks on their advertisement, and a hacker can run up the tab for such advertisers
quite fast. Sofizar's internal testing shows that Google not only charges for these
clicks, but due to a software glitch in Google's reporting interface, does not
record the impression.

"PPC advertisement has become very popular due to their instant traffic results, and
control over the composition of the traffic" said Ron Arthur, Program Manager of
Sofizar managed service. "Given that there is about $7 Billion at stake with Google
PPC advertising in 2006, malicious hackers are always on the look out to get a piece
of the pie. An advertiser may feel secure in the knowledge that his advertisements
are being displayed only in the US, while his advertisements may be getting unwanted
clicks(and a massive bill) from a hacker in East Europe".

"There is essentially an arms race between the click fraudsters and us," said Zafar
Khan, CEO of Sofizar. "We see ever insidious tactics by hackers to deplete the
budget of advertisers, and unless the advertiser is really keeping close tabs on
their PPC advertising they are a prime target for fraud. The location based
vulnerability allows hackers to fly under the radar, and hit unsuspecting
advertisers. We have reported this flaw to Google and we are confident that they
will fix the glitch in their software. Our previous experience in dealing with
Google customer support regarding glitches has been outstanding".

Testing methodology used:

The vulnerability was tested on Sofizar's test account (tickets website) where a US
targeted AdWords campaign for a keyword with no searches was selected. Sofizar's
testers in their test center in Pakistan then used the back door to display and
click their test advertisement http://www.google.com/search?hl

Web Site = http://www.sofizar.com

Contact Details = Ron Arthur, Sofizar
4010 Crescent Point Road, Carlsbad, CA
92008 United States


Toll Free (US): 1-877-844-5435
Web: http://www.sofizar.com