OKO Digital

The ad optimisation people

  • Home
  • Publisher Solutions
    • Website Monetization
    • Header Bidding
    • AdX – Google Ad Exchange
    • App Ad Monetization
    • WordPress Monetization
  • About us
    • OKO & the OKO team
    • Careers
  • Blog
    • Latest blog posts
    • Ad Blocking
    • Ad Exchange (AdX)
    • Ad Optimisation
    • Ad Performance & Page Speed
    • Ad Publishing Landscape
    • AdSense
    • DoubleClick For Publishers (DFP)
    • Exchange Bidding
    • Google Ad Manager
    • Google Certified Publishing Partners
    • Header Bidding
    • Privacy & GDPR
    • Program Policy
    • Open Bidding
    • Traffic
  • Contact

Google Ad Manager, Google AdSense, Traffic . 18th February 2020

How AdSense publishers can deal with ‘new’ Bitcoin extortion threats

What to do if you are threatened by click-bomb scammers

A ‘new’ extortion scam seemingly targeting AdSense users has been widely discussed in publisher circles this month after being reported on in the much-respected KrebsOnSecurity blog. The scam seems to be a new take on the ever-popular Bitcoin extortion scam emails, with the threat now being to click-bomb a publisher’s site and get them banned from Google AdSense.

The scam doesn’t yet seem to be widespread and this particular format has only been reported by one credible, but anonymous publisher. Despite this, we see this as a credible threat that publishers should be aware of and prepared for.

How the AdSense Bitcoin extortion scam works

Neither email extortion scams or threats of AdSense sabotage are new, and we’re sure that many publishers reading this will have experienced at least one of them before. This variant combines the two in quite an efficient way.

It’s simple enough for scammers to identify websites that are likely to be making good revenue from Google AdSense. AdSense code is visible on-page in many cases and tools like Alexa Rank or SimilarWeb give useful enough traffic estimates for this purpose. The scammers then contact the website owner, threatening to flood the website with invalid traffic or clicks if a ransom isn’t paid by Bitcoin. In the example reported on Krebs the ransom being asked was $5,000 from a sender calling themselves “AdSense Syndicate.” Here is what the email said:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

AdSense scams that threaten to sabotage publishers’ accounts via click-bombing are not a new concern; they’ve been going on for well over a decade. However, this particular scam takes a new format which has given rise to a new bout of concern amongst AdSense publishers. Google always claim that actual incidents of sabotage are very rare, but the fear of it happening is widespread and understandable: Click-bombing is an easy and largely risk-free act of sabotage to perform. Combine that with Google’s reputation for terminating accounts without notice or effective appeal, and you have the perfect background for this type of extortion.

Can click-bombing get you banned from AdSense?

The idea of click-bombing is to trick Google into thinking that a publisher is trying to defraud them by artificially inflating revenue. Google is understandably strict in dealing with publishers who try such tactics, so the threat is that Google will take action against the victim of click-bombing if under the impression that the publisher is attempting to commit fraud. Google maintain that this type of sabotage is both rare and that they have measures in place to identify and filter out such sabotage.

Despite these assurances from Google, many publishers see the threat as a credible one. Google’s primary concern is to keep as much fraud as possible out of their ecosystem so that advertisers are confident to spend their budgets with Google. Given that fraudsters and saboteurs are likely to be using exactly the same methods to inflate impressions, publishers are probably right to be wary that they could be the “baby that gets thrown out with the bathwater” when Google are protecting advertisers. This is particularly true given that Google clearly state that “ultimately it is the publisher’s responsibility to make sure that the activity on their ads is valid”

“Ultimately it is the publisher’s responsibility to make sure that the activity on their ads is valid”
– Official AdSense Help Pages

How credible is the scam?

We’ve yet to see a report of any AdSense Publisher being banned from the program after receiving an extortion email. In fact reports of this specific scam all centre on one incident. Despite that, we see the Bitcoin extortion scam itself as a credible threat to publishers. The ease of the extortion request combined with the low-risk to the scammers would suggest that copy-cat attempts are likely to now follow. How many will likely depend on how successful scammers are. The “prospecting” element of this scam is cheap and scaleable and only needs a very small number of publishers to pay up to be successful, so don’t be surprised if more reports like this begin to surface.

We can also foresee “it was the Bitcoin extortion scammers” being the next excuse from shady publishers who legitimately get cut-off. The vast majority of publishes banned for invalid activity are done so as a result of their own actions/inaction. Few who are caught seem to accept the blame for that and shady publishers claiming to be banned as a result of scammers click-bombing them are only going to add fuel to this scam by making the threat of a ban seem more credible.

It’s certainly not impossible for this type of scam to result in an innocent publisher getting banned, but we see the risk of publishers paying the ransom as greater. Luckily there are steps that you can take if you receive a threat like this.

What to do if you are targeted by the Bitcoin extortion scam

General advice when dealing with this type of extortion scam is not to engage with the scammers. Instead we’d recommend the following steps:

  • Do not engage with the scammers, such as replying to their email
  • If possible don’t open the emails, or further emails from them. They may include tracking beacons to see which emails are being actively looked at
  • Don’t open any attachments or follow links from the email. These could not only demonstrate that you are taking the threat seriously, but could lead to other issues such as malware
  • Do read Google’s advice on invalid traffic. There isn’t much, but it is worth reading. See here.
  • Do report the threat to Google. They have an invalid traffic form here. Reporting early will have an impact on how your case is viewed if that becomes relevant
  • Do talk to you AdSense Account Manager or Google Certified Publishing Partner if you have one
  • Monitor your ad performance closely. If an attack starts you will likely see an increase in ad requests and CTR. You can always pause ads, or alter your trafficking if this happens
  • Do consider bot blocking solutions. We love Cloudflare’s Bot Fight Mode as the first line of defence, which is available even on free accounts
  • Do talk to OKO. If you are targeted by such a scam we’d be happy to share some advice even if you are not currently an OKO publisher

Google Ad Manager, Google AdSense, Traffic . Publisher News

About Abbey Colville

SEARCH

TOPICS

  • Ad Blocking
  • Ad Exchange (AdX)
  • Ad Optimisation
  • Ad Performance & Page Speed
  • Ad Publishing Landscape
  • AdSense
  • DoubleClick For Publishers (DFP)
  • Exchange Bidding
  • Google Ad Manager
  • Google Certified Publishing Partners
  • Header Bidding
  • Open Bidding
  • Privacy & GDPR
  • Program Policy
  • Traffic

Could the ads on your site be earning more?

Find out how OKO help publishers earn more from their ads.

LEARN MORE
Insticator

OKO Digital, The Cake Shed, Manor Farm, Manor Road, Hayling Island, Hampshire, PO11 0QW

Google Certified Publisher Partner Logo

OKO is a registered trademark and trading style of OKO Digital Limited. Registered in England company number 03867231. © OKO Digital Limited 1996-2018. All Rights Reserved.

  • Privacy Policy
  • Cookie Policy
Manage Cookie Consent
We use cookies to optimise our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}