A little of what we know.

High AdSense CTR April 20th. Are you being click bombed?

Many AdSense publishers have run a roller-coaster of emotions today as initial excitement over high earnings turned to fear about unnatural activity. The problem started with unnaturally high Click-Through-Rates over the weekend causing earnings to spike. With CTR on many sites hitting 3X or 4X normal levels, this clearly isn’t down to normal user behaviour.

It looks a lot like a coordinated attack on AdSense sites by automated “click bots” that is effecting large numbers of website owners.

Is my site affected?

We are seeing large spikes in CTR on many websites on April 19th and 20th (UK time).  If your site has the same then it is likely that you are experiencing the same problems.  The tell tale sign would seem to be that traffic is coming from Version 27 of of the Firefox browser.  You can check this for yourself in Google Analytics from Technology > Browser and OS > Firefox > 27, then changing the graph to display AdSense clicks rather than sessions.

It isn’t hard to block all traffic using that particular browser if you have access to your .htaccess file.  You can do it with the following:

RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* – [F,L]

Whether you want to block all those users though is not a straight forward call.  Blocking a browser version means blocking humans as well as bots and you could lose users.  Checking your historic traffic levels for that particular browser version can help make more informed decisions.

It is worth noting that this pattern might change.  It is not unusual for attackers to change ‘footprints’ as they go.

The source: inc

The traffic seems to be coming from a network identified as .  You can check this in Google Analytics by looking at Technology > Network.  We’re seeing traffic from this host as having AdSense CTR of up to 344% !

This is a traffic source that has been associated with click-bombing in the past.  With the traffic coming from a single source this does make it easy to block.  Just monitor the IP addresses and block those through htaccess. Do though remember, if you block a host you will be blocking legitimate traffic from that host as well as the bad.

use analytics to spot unusual traffic patterns

What is actually happening?

Click-bombing is the name given to automatically generating lots of ad clicks on and AdSense publishers website.  There are a couple of interesting patterns to this particular attack though.  Firstly multiple pages are being attacked, rather than a single page on each site.  We’re seeing a few dozen clicks to each page rather than hundreds to a single URL.  Another is an interesting footprint that is being created in that AdSense page impressions are being reported, but not Ad Unit impressions.

This pattern becomes clear if we create a segment for all traffic on the network and compare it with all sessions:

AdSense Pages   Google Analytics

Why do people click bomb?

There are a number of reasons that are usually given to explain click-bombing.  Not all of these apply to the attack what we are currently seeing:

“Click bombing isn’t real. It is publishers trying to con Google”
This clearly is not the case with this attack. Many users have experienced problems in the last two days including some of our own clients.

“Click bombing is designed to get the publisher account cancelled”
At OKO we certainly believe that this is the motivation for some attacks, but probably not this one.  The reason for this is that a lot of publishers have been targeted and these are seemingly unrelated.

“Click bombing is designed to hurt the advertiser”
Again, this is feasible, but not likely in this case. To hurt a particular advertiser the attacker would need to find their ads. This would mean targeting sites in a similar niche, or those with custom search ads. This does not appear to be the case.

“Click bombing harms Google”
This seems the most likely motivation behind the current attack. Possibly a disgruntled publisher or someone else with an axe to grind.

What should I do about this?

The AdSense team are definitely aware of this issue (we have spoken with them about it).  We would expect that all neccessary steps will be taken from their side. However, it is always good to be safe when it comes to protecting your account.  At the very least we would recommend reporting the invalid activity. This can be done from this page in AdSense help.

You could additionally block users of that particular browser version either from seeing the ads, or from the site entirely.  As previously mentioned this might not offer protection if the pattern of the attack changes.   If you are particularly concerned then you could remove ads entirely until the patterns return to normality.

Will I get to keep the money?

Probably not.  Google tries to filter out invalid activity and automated clicks. Much of this happens before the click is even registered in your AdSense dashboard. Other filters can be applied “post click” and result in adjustments in your account.  Automated clicks cost advertisers money. When they are spotted they are reversed, the advertiser is refunded and the publisher account is adjusted to reflect this.

Further reading

Those affected by this issue (or concerned that they might be next time), might find the following articles intersting:

Still worried?

OKO are Google Certified AdSense Partners, recognised experts in AdSense and other monetisation products. As well as helping publishers to earn more through advertising, we help them reduce risk and improve the security of their accounts. Learn more about working with an AdSense partner here.


Google have now started responding to many publishers who reported the suspicious traffic.  The statement reads as follows:

Dear publisher,

Thanks for reaching out. We appreciate your concern and honesty about this issue.

Beginning April 19th, some publishers have been impacted by a new segment of invalid traffic. Fortunately, Google’s traffic quality systems were able to react quickly, detecting this traffic as invalid and treating it accordingly; however, for two days this was not reflected in estimated earnings.

This invalid traffic will be removed before finalized revenue is reported at the end of the month. As a result, publishers may see a larger than normal difference between estimated earnings and finalized revenue for the month of April 2015.

This invalid traffic is no longer being counted toward estimated earnings as of April 21, 2015. Since Google does not block this traffic, publishers may continue to see it reflected in their weblogs.

Advertisers have not been charged for this invalid traffic. If you notice an issue like this in the future, please submit this form to our traffic quality specialists.

The Google AdSense Team


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on Reddit
  • Good to know we’re not the only ones. Thanks for code.

  • Oliver Krautscheid

    Hi Mat, it would be great if you could also link to the original source this code originated from, which is – much appreciated! I identified Firefox 27 tonight after checking my Analytics logs. The avg session duration was only 2 to 4 seconds, very suspicious. Also very few people use Firefox 27 these days.

    • Mat Bennett

      We didn’t get the code from there, but very happy to leave your link in place – it’s a useful post. (Edit – in fact I’ve just gone back and also added it to the further reading links in the article as well)

    • Mat Bennett

      Hi Oliver. We didn’t get the code from there, but it is a useful post. Happy to leave your link here and I have also now linked it from the further reading block in the article.

      • Oliver Krautscheid

        Hit Mat, yea you got it from Webmasterworld where I posted the rewrite rule after identifying Firefox 27 as the useragent and someone on there reposted it without giving me credit. It’s no big deal really, it happens on message boards, thank you for keeping the link in the comments, appreciate it. Let me know if you need a backlink from my site to any of your recent articles and I’ll return the favor.

  • Adrian Gheorghe

    I’ve been having the same issue as well, starting yesterday. I’ve reported the issue to Google twice, no answer so far. My last resort was to delete the site, all the click bombing was on a site that wasn’t that visited, so it was really clear that I’m getting click bombed.

    I’ve checked the logs and indeed it’s an ip from XLHOST. –

    Anyone having these issues as well?

    • David Shaver

      yes but that ip is not in my logs

  • Tarun P.K

    How to track the IP address any clue ?

  • Oliver Krautscheid

    Tarun you can go into your log file and search for the useragent Firefox/27. Then you will locate the IP and can add it to your firewall

    • Tarun P.K

      Thanks so much , in the meantime should i remove the ads as well ?

      • Mat Bennett

        We do not recommend removing the ads.

  • Thankyou for your article …. we have the same problem.
    For people with nginx the solution can be found here:

    The network involved ,as described in the post, seems:
    deny; # XLHOST IP
    deny; #XLHOST IP
    deny; # XLHOST IP
    deny; # XLHOST IP
    deny; # XLHOST IP
    deny; # XLHOST IP
    deny; # XLHOST IP
    deny; #AXARNET
    deny; #AXARNET
    deny; #AXARNET
    deny; #EASYSPEEDY external network

  • Thank you so much for sharing! I’m just a “little guy” but the amount of clicks I’m seeing scared the pants off of me and I was ready to kiss my account good-bye. I did send in a report last night, but the code you gave is very helpful too.

  • Cynthia

    Thank you so much for posting this! Since yesterday, I’ve been seeing an adsense CTR of 103% on some pages and it scared the crap out of me. I already saw ban in my future! I reported it last night because I thought it was only happening to me but it is so good to know I’m not the only one and that Google is aware of this problem.

    Do you have a solution for WordPress sites? I don’t know where I would add that code in WP? Thanks!!!

    • Mat Bennett

      The solution is just to sit tight. I’ve updated the post above now with a statement from Google. They are handling things from their end.

  • Brent Passey

    In the comments you stated to not remove the ads from our sites. I didn’t remove the ads, but I removed my site that was being click bombed from my authorized site list. Should I keep it off my list, or should I add my site to my authorized list? Thanks.

    • Mat Bennett

      If your website isn’t on your authorised sites list then you will not be earning. That isn’t a route I would want to take.

  • I am having a similar problem with spam referrals streaming into my google analytic account. For example freesharebuttons dot com/referral. I see tons of clicks in a matter of seconds. My question is, are those clicks real (i.e they actually land on my website) and how do I know if they will affect my adsense or not?

    • Mat Bennett

      This is a different issue, but it’s an interesting one that we might cover.

  • lap

    Great statement from Google.Now we not need to be worried about adsense invalid clicks anymore,because Google not count anymore invalid clicks. Finally great update for our ads. Thanks Google

  • lap

    Finally Google will not count invalid clicks and everybody is safe from April 2015. This mean if somebody click on your ads too many times or bots try to click too many times will not count like invalid clicks. Great News,now we can sleep normal. Thanks Google

  • Muskan Sharma
OKO is the uk leading adsense partners, click here to learn how we can help

Latest from the blog