"Google claims to exercise greater care when it comes to supervising these third-party ad display partners," said Ben Edelman, who has provided details of the problem on his blog.
"They claim to be careful about this."
But despite new methods and tools to stop fraud, companies such as Continental Airlines sometimes get the short end of the stick, paying too much for online advertisements.
Advertisers sign up with Google's AdWords program, bidding on keywords that will trigger text ads that will be shown on web pages and other sites that have related content. If the ad is clicked, the company pays.
Online advertising networks often make deals with one another in order to expand distribution of their ads, an activity called "buying traffic". It helps expand the distribution of those ads, and Google's text ads often supplement those ads.
If an ad is clicked, every network in that distribution chain gets a slice of the revenue, with Google charging the advertiser for the click.
Edelman's latest research shows that for the third time in less than a year, Google's ads are showing up on an advertising software program called WhenU.
The application monitors a person's web surfing and displays ads. Security companies generally warn against installing such programs.
WhenU must be voluntarily installed by a user. But if it is installed, WhenU will behave in a way that essentially defrauds companies.
WhenU's software monitors a person's web browsing in order to serve advertisements, and offers coupons.
If a person browses to Continental Airlines website, WhenU will display a large pop-up window with Google ads, including a link to Continental's website that the company is paying for.
If someone clicks on the link, Continental has to pay for that click even though the person is already on their website. The click also generates revenue for WhenU and other partners in the distribution chain.
"That's a scam against Continental because that's a customer Continental already has," he said. Edelman calls the scam "conversion inflation".
In the Continental example, WhenU records the click, and then four other entities get a slice of the revenue. By using a packet sniffer, Edelman reveals the distribution chain showing how different companies get credit for the click.
The packet log shows the click is reported by WhenU to an unnamed company, then to LocalPages, an internet advertising company; then to Infospace, a search engine aggregator; and then back to Google, which charges Continental for the click.
Advertisers won't detect the scam for a couple of reasons, Edelman said. First, they're unlikely to install WhenU on their computers, he said.
Also, traffic measurement systems will only show they paid, for example, $600 (£375) for 100 clicks that resulted in $10,000 (£6,125) in revenue and not distinguish whether those sales would have occurred without those clicks on ads supplied by WhenU, he said.
Also, traffic measurement systems will only show how much advertisers paid for ad clicks and how many sales followed those clicks.
In particular, Edelman noted, measurement systems do not identify whether sales would have occurred without those clicks on ads supplied by WhenU.
If companies see that their Google ad purchases are fruitful, they're likely to spend more on ads and bid more for certain keywords if they think they're getting good-quality traffic, Edelman said.
But "the conversion rates are going to come out fake when the advertiser is trying to figure out if their campaign is working", he said.
Google says it prohibits its partners from sub-syndicating ads to other entities that it hasn't certified. But Google would not say if it has vetted the companies in the distribution chain detailed by Edelman and didn't have any further comment on Edelman's research.
Google - as well as other large companies such as Yahoo - partner with other ad networks to expand the distribution of their advertisements, said Daniel Walling, the lead fraud researcher for Anchor Intelligence, a security company that develops software to detect online advertising fraud.
A stream of traffic from WhenU "isn't of value to most name brand advertisers you would think of", Walling said. "The spyware doesn't belong in that interaction between the user and that site at all."
The first link between in the distribution chain is between Google and Infospace.
Infospace and did not respond to repeated requests for comment. LocalPages' Operations Director Eric Barkey did not response to requests for comment, and officials at WhenU could not be reached.
Edelman said he had documented Infospace as part of the distribution chain as far back as August 2005 involving Yahoo pay-per-click ads.
At that time, Infospace bought traffic from Direct Revenue, a company that produced advertising software.
Less than two years later, DirectRevenue settled with the US Federal Trade Commission in February 2007, agreeing to give up $1.5m in ill-gotten gains for using deceptive methods to download adware to people's computers.
Edelman thinks Google should sever its relationship with Infospace and that the company hasn't done enough to supervise the distribution relationships.
More broadly, however, Walling said that the relationships Google and other companies strike in order to get wider distribution for their ads are generally good for the industry as a whole, even if there is risk, Walling said.
"The job for Google or other buyers is to find out which of the partners are able to give them good-quality traffic," Walling said.
See also: Click fraud dips after all-time high