In 2006, Mona Gandhi and Jacob Ratkiewicz, two grad students of mine, and I publicized a novel click-fraud technique that at some point in time worked against all the major advertisement schemes. Our simple idea was for the click fraudster to iframe the advertisement; read the DOM, taking note of the call-back URL used when a user clicks; and then make a call to that URL.
Google made ingenious changes to their code within days of learning of the problem: simply make the advertisement an anonymous iframe, preventing it to be read. But there are still several service providers that are vulnerable to our attack.