How AdSense works.

Let's see what is happening when AdSense script runs in browser. Hope you are familiar with following code:
<script type="text/javascript">
google_ad_client = "pub-7777777777777";
google_ad_slot = "777777777777";
google_ad_width = 468;
google_ad_height = 60;
<script type="text/javascript" src=""></script>
In general show_ads.js does the following tasks:
  1. script collects all available information about browser and OS (see: Browser fingerprint). This information includes: browser window size; display size; monitor color depth; plug-ins list; java version; checks if window has parent window; referrer;
  2. imports another 2 JS files - they are quite complicated to read because of obfuscation, but the main task they serve - make results more unpredictable and hard to mimic.
  3. creates IFRAME, which has main parameters (1) in URL - thus sending valuable espionage information back to Google.
  4. in the loaded IFRAME there are some scripts also, which IMHO are anti-bot watchers - they counts every mouse move over ads and then send this info to Google if ads link is clicked. I presume this helps detecting click-fraud bots.

Well, definitely principal weaknesses exist in the online ads model itself, allowing to perform "perfect" (i.e. undetectable) click-fraud attack, but implementation is quite tricky and expensive and bottlenecks are traffic to MFA sites and payouts.

Actually, advertisment networks may perfectly track users — every time you visit website with ads browser sends a little string - "cookie" to an advertisment server, next page — the same cookie, thus ad networks follow you. But don't think you are genious if you clear cookies (or restrict them in browser) — remember fingerprints while surfing internet.