Of all the things that Google’s afraid of (employee revolts! antitrust actions! diversity!) ad fraud is certainly high on the list. And now, some creative scammers have turned Google’s fraud crackdown against its own users.
The scam, first caught by Krebs On Security, appears to work like this: a web publisher—like say, Gizmodo dot com—who serves banner ads on-site using Google’s Adsense program are getting emails from anonymous scammers threatening to flood their site with fake clicks. These fake clicks will trip up Google’s fraud-detection systems, and limit that publisher’s main revenue streams: their Adsense account.
Krebs got its hands on an email sent in by a reader who manages “several sites” with a fair amount of traffic between them. In the email, the scammer threatens that they “have the resources” to flood the site with fraud-y clicks again and again and again—potentially shutting down their Adsense account in the process.
“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”
Naturally, the only way out of this scheme is to wire the scammer $5,000 in bitcoin within three days of getting this email. For the record, the bitcoin wallet listed in the initial email is 100% empty, which is a tipoff that, for the most part, publishers are taking threats like this as pretty baseless.
Still, as the initial Krebs tipster noted, the idea itself is “pretty concerning.” Thanks to the complexity of well, the entire goddamn internet, a lot of the cash that flows from advertiser, to ad, to web publisher, is gobbled up by men in the middle—your adtech companies, your analytics firms, and so on. And because the players at the end of this chain are so strapped, it’s not hard to believe that the threat of cutting off what can easily be tens of thousands per month in Adsense revenue is enough for these publishers to whip out their own wallets.
According to a statement from Google sent to Krebs, the current scheme is a “classic threat of sabotage,” that was all bark and no bite.
“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding. For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.
We have a help center on our website with tips for AdSense publishers on sabotage. There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”
Ultimately though, whether this threat is real or not, the truth is that it’s easy to see how real it could be. It’s ridiculously easy enough to buy dubious-looking web traffic on sites like Fiverr or through digital back alleys. And while Google’s clearly trying to crack down on illegitimate clicks, the company has a history of letting extortionists exploit these automated systems for cash.