Table of contents
Many AdSense publishers have run a roller-coaster of emotions today as initial excitement over high earnings turned to fear about unnatural activity. The problem started with unnaturally high Click-Through-Rates over the weekend causing earnings to spike. With CTR on many sites hitting 3X or 4X normal levels, this clearly isn’t down to normal user behaviour.
It looks a lot like a coordinated attack on AdSense sites by automated “click bots” that is effecting large numbers of website owners.
Is my site affected?
We are seeing large spikes in CTR on many websites on April 19th and 20th (UK time). If your site has the same then it is likely that you are experiencing the same problems. The tell tale sign would seem to be that traffic is coming from Version 27 of of the Firefox browser. You can check this for yourself in Google Analytics from Technology > Browser and OS > Firefox > 27, then changing the graph to display AdSense clicks rather than sessions.
It isn’t hard to block all traffic using that particular browser if you have access to your .htaccess file. You can do it with the following:
RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* – [F,L]
Whether you want to block all those users though is not a straight forward call. Blocking a browser version means blocking humans as well as bots and you could lose users. Checking your historic traffic levels for that particular browser version can help make more informed decisions.
It is worth noting that this pattern might change. It is not unusual for attackers to change ‘footprints’ as they go.
The source: xlhost.com inc
The traffic seems to be coming from a network identified as xlhost.com . You can check this in Google Analytics by looking at Technology > Network. We’re seeing traffic from this host as having AdSense CTR of up to 344% !
This is a traffic source that has been associated with click-bombing in the past. With the traffic coming from a single source this does make it easy to block. Just monitor the IP addresses and block those through htaccess. Do though remember, if you block a host you will be blocking legitimate traffic from that host as well as the bad.
What is actually happening?
Click-bombing is the name given to automatically generating lots of ad clicks on and AdSense publishers website. There are a couple of interesting patterns to this particular attack though. Firstly multiple pages are being attacked, rather than a single page on each site. We’re seeing a few dozen clicks to each page rather than hundreds to a single URL. Another is an interesting footprint that is being created in that AdSense page impressions are being reported, but not Ad Unit impressions.
This pattern becomes clear if we create a segment for all traffic on the xlhost.com network and compare it with all sessions:
Why do people click bomb?
There are a number of reasons that are usually given to explain click-bombing. Not all of these apply to the attack what we are currently seeing:
“Click bombing isn’t real. It is publishers trying to con Google”
This clearly is not the case with this attack. Many users have experienced problems in the last two days including some of our own clients.
“Click bombing is designed to get the publisher account cancelled”
At OKO we certainly believe that this is the motivation for some attacks, but probably not this one. The reason for this is that a lot of publishers have been targeted and these are seemingly unrelated.
“Click bombing is designed to hurt the advertiser”
Again, this is feasible, but not likely in this case. To hurt a particular advertiser the attacker would need to find their ads. This would mean targeting sites in a similar niche, or those with custom search ads. This does not appear to be the case.
“Click bombing harms Google”
This seems the most likely motivation behind the current attack. Possibly a disgruntled publisher or someone else with an axe to grind.
What should I do about this?
The AdSense team are definitely aware of this issue (we have spoken with them about it). We would expect that all neccessary steps will be taken from their side. However, it is always good to be safe when it comes to protecting your account. At the very least we would recommend reporting the invalid activity. This can be done from this page in AdSense help.
You could additionally block users of that particular browser version either from seeing the ads, or from the site entirely. As previously mentioned this might not offer protection if the pattern of the attack changes. If you are particularly concerned then you could remove ads entirely until the patterns return to normality.
Will I get to keep the money?
Probably not. Google tries to filter out invalid activity and automated clicks. Much of this happens before the click is even registered in your AdSense dashboard. Other filters can be applied “post click” and result in adjustments in your account. Automated clicks cost advertisers money. When they are spotted they are reversed, the advertiser is refunded and the publisher account is adjusted to reflect this.
Further reading
Those affected by this issue (or concerned that they might be next time), might find the following articles intersting:
- Linking AdSense to Analytics – The easiest way to tool up to tackle problems like this
- AdSense referrals: How to spot the bad guys – Techniques for spotting and preventing click-bombing
Still worried?
OKO are Google Certified AdSense Partners, recognised experts in AdSense and other monetisation products. As well as helping publishers to earn more through advertising, we help them reduce risk and improve the security of their accounts. Learn more about working with an AdSense partner here.
Update
Google have now started responding to many publishers who reported the suspicious traffic. The statement reads as follows:
Dear publisher,
Thanks for reaching out. We appreciate your concern and honesty about this issue.
Beginning April 19th, some publishers have been impacted by a new segment of invalid traffic. Fortunately, Google’s traffic quality systems were able to react quickly, detecting this traffic as invalid and treating it accordingly; however, for two days this was not reflected in estimated earnings.
This invalid traffic will be removed before finalized revenue is reported at the end of the month. As a result, publishers may see a larger than normal difference between estimated earnings and finalized revenue for the month of April 2015.
This invalid traffic is no longer being counted toward estimated earnings as of April 21, 2015. Since Google does not block this traffic, publishers may continue to see it reflected in their weblogs.
Advertisers have not been charged for this invalid traffic. If you notice an issue like this in the future, please submit this form to our traffic quality specialists.
Sincerely,
The Google AdSense Team