How AdSense publishers can deal with ‘new’ Bitcoin extortion threats

A ‘new’ extortion scam seemingly targeting AdSense users has been widely discussed in publisher circles this month after being reported on in the much-respected KrebsOnSecurity blog. The scam seems to be a new take on the ever-popular Bitcoin extortion scam emails, with the threat now being to click-bomb a publisher’s site and get them banned from Google AdSense.

The scam doesn’t yet seem to be widespread and this particular format has only been reported by one credible, but anonymous publisher. Despite this, we see this as a credible threat that publishers should be aware of and prepared for.

How the AdSense Bitcoin extortion scam works

Neither email extortion scams or threats of AdSense sabotage are new, and we’re sure that many publishers reading this will have experienced at least one of them before. This variant combines the two in quite an efficient way.

It’s simple enough for scammers to identify websites that are likely to be making good revenue from Google AdSense. AdSense code is visible on-page in many cases and tools like Alexa Rank or SimilarWeb give useful enough traffic estimates for this purpose. The scammers then contact the website owner, threatening to flood the website with invalid traffic or clicks if a ransom isn’t paid by Bitcoin. In the example reported on Krebs the ransom being asked was $5,000 from a sender calling themselves “AdSense Syndicate.” Here is what the email said:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

AdSense scams that threaten to sabotage publishers’ accounts via click-bombing are not a new concern; they’ve been going on for well over a decade. However, this particular scam takes a new format which has given rise to a new bout of concern amongst AdSense publishers. Google always claim that actual incidents of sabotage are very rare, but the fear of it happening is widespread and understandable: Click-bombing is an easy and largely risk-free act of sabotage to perform. Combine that with Google’s reputation for terminating accounts without notice or effective appeal, and you have the perfect background for this type of extortion.

Can click-bombing get you banned from AdSense?

The idea of click-bombing is to trick Google into thinking that a publisher is trying to defraud them by artificially inflating revenue. Google is understandably strict in dealing with publishers who try such tactics, so the threat is that Google will take action against the victim of click-bombing if under the impression that the publisher is attempting to commit fraud. Google maintain that this type of sabotage is both rare and that they have measures in place to identify and filter out such sabotage.

Despite these assurances from Google, many publishers see the threat as a credible one. Google’s primary concern is to keep as much fraud as possible out of their ecosystem so that advertisers are confident to spend their budgets with Google. Given that fraudsters and saboteurs are likely to be using exactly the same methods to inflate impressions, publishers are probably right to be wary that they could be the “baby that gets thrown out with the bathwater” when Google are protecting advertisers. This is particularly true given that Google clearly state that “ultimately it is the publisher’s responsibility to make sure that the activity on their ads is valid”

“Ultimately it is the publisher’s responsibility to make sure that the activity on their ads is valid”
– Official AdSense Help Pages

How credible is the scam?

We’ve yet to see a report of any AdSense Publisher being banned from the program after receiving an extortion email. In fact reports of this specific scam all centre on one incident. Despite that, we see the Bitcoin extortion scam itself as a credible threat to publishers. The ease of the extortion request combined with the low-risk to the scammers would suggest that copy-cat attempts are likely to now follow. How many will likely depend on how successful scammers are. The “prospecting” element of this scam is cheap and scaleable and only needs a very small number of publishers to pay up to be successful, so don’t be surprised if more reports like this begin to surface.

We can also foresee “it was the Bitcoin extortion scammers” being the next excuse from shady publishers who legitimately get cut-off. The vast majority of publishes banned for invalid activity are done so as a result of their own actions/inaction. Few who are caught seem to accept the blame for that and shady publishers claiming to be banned as a result of scammers click-bombing them are only going to add fuel to this scam by making the threat of a ban seem more credible.

It’s certainly not impossible for this type of scam to result in an innocent publisher getting banned, but we see the risk of publishers paying the ransom as greater. Luckily there are steps that you can take if you receive a threat like this.

What to do if you are targeted by the Bitcoin extortion scam

General advice when dealing with this type of extortion scam is not to engage with the scammers. Instead we’d recommend the following steps:

• Do not engage with the scammers, such as replying to their email
• If possible don’t open the emails, or further emails from them. They may include tracking beacons to see which emails are being actively looked at
• Don’t open any attachments or follow links from the email. These could not only demonstrate that you are taking the threat seriously, but could lead to other issues such as malware
• Do read Google’s advice on invalid traffic. There isn’t much, but it is worth reading. See here.
• Do report the threat to Google. They have an invalid traffic form here. Reporting early will have an impact on how your case is viewed if that becomes relevant
• Do talk to you AdSense Account Manager or Google Certified Publishing Partner if you have one
• Monitor your ad performance closely. If an attack starts you will likely see an increase in ad requests and CTR. You can always pause ads, or alter your trafficking if this happens
• Do consider bot blocking solutions. We love Cloudflare’s Bot Fight Mode as the first line of defence, which is available even on free accounts
• Do talk to OKO. If you are targeted by such a scam we’d be happy to share some advice even if you are not currently an OKO publisher