17
Feb 20

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

A redacted extortion email targeting users of Google’s AdSense program.

Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.

The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.

The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.

Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”

“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.

Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.

“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”

Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.

“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”

Tags: ,

52 comments

  1. Not The Sunshine State

    Interesting, haven’t heard of an extortion like this one before. Hopefully the measures and team Google has in place are efficient and fast when resolving tickets regarding this sort of thing. I wonder how many people, if any, actually pay the random.

    • The “we’ll report your youtube videos/channel” has been around a while, and this just seems a one removed version of that. It doesn’t surprise me in the slightest.

      And given what I’ve heard about Google’s responses in general, the “fast and efficient” will be turning it off, not the turning it on again.

      • Seems like the measures that Google is using only help Google. Not the advertisers.
        Just looking at the language…

  2. Thanks for the warning, Brian!

    Apropos of warnings, Firefox threw up a “Danger, Will Robinson!” on following the link from your email to your site.

    Just FYI, it claimed not to know the CA.
    GL, BK!

  3. This reminds me of another extortion scheme except money is withheld causing an ally to wonder if they should risk declaring an investigation that would affect the political cycle of the most powerful country on Earth.

  4. Another flavor in scareware tactics….

  5. It’s actually a very effective threat, as anyone who’s ever worked with Adsense will have noticed it’s more or less impossible to contact anyone at Google about problems with this. They’ll contact you to sell you more stuff, but if you try and contact them you get lost in a maze of web pages pointing to more web pages, none of which contain any way to contact them. Given that there’s no means of recovery, I can see that the victims would take paying up as the easier option. That’s exactly what we did with a billing error, it was so hard to try and get it resolved that we just paid Google to make it go away.

    • That’s been my experience as well. Google is hopelessly over-dependent on automated systems for dealing with abuse, which has two side effects: lots of abuse slips through, because it’s ridiculously easy get around Google’s automated abuse-detection systems if you know what they’re looking for. E.g. want to distribute malware? Just put it inside a password-protected zip file, upload it to GDrive, and Google will happily distribute it for you!

      The other side effect is that Google’s automated abuse detection systems have an absurdly high margin of error/false-positive rate, and it’s far too easy to run afoul of them for no valid reason. And it seems to be getting steadily worse – E.g. in the last few months, I’ve run into a situation where customer invoices were being consistently flagged as spam by GMail, SOLEY because they contained PDF attachments with .com or .org domain names. So if you have a domain with one of those TLDs, and your provider sends PDF invoices, you’ll have to manually rescue them from the spam folder every time. Oh, but it ignores other TLDs – want to send PDFs with malicious links to GMail users? Just use a .ca domain name & you’re all set! I’m sure CIRA could use the money….

      At this point, I’ve given up up making any attempt to get Google to resolve their issues through the “proper” channels – since they clearly ignore those anyway. Instead, it’s getting very tempting to just call their sales staff every time I run into one of those problems, and (E.g.) pretend that I’m a prospective GSuite customer – but can’t consider the service until they fix such-and-such issues.

  6. Bitcoin extortion email should be reported to Bitcoin on their online fraud form. The email should be attached and the target bitcoin account identified.

    • Kenny Blankenship

      I ask this out of ignorance, but how easy would it be to spin up a new Bitcoin wallet address for an attacker? If it will take a good bit of time, I am thinking that your approach would work well — that is assuming that Bitcoin’s Fraud Dept. will act quick enough. But if it’s trivial to spin up a new address, I’d imagine the attacker just updating the ransom page with their new wallet address.

      • The whole point of Bitcoin is it’s decentralized, there is no central Bitcoin agency or people that can stop anything to do with Bitcoin, please educate yourself before you spout nonsense online

        • Wow man, chill a bit. No need to prove how you earned your name

        • Kenny Blankenship

          Hmm. “Dick”alan… username checks out. “I ask this out of ignorance”… guess that went over your head, huh? No need to be a keyboard warrior because you know more on a topic than an internet stranger.

  7. The Sunshine State

    Here I am , my opinion is that Google Adsense is one big corporate tracker to monitor what you are doing online.

    I ad-block that crap right off my browser(s)

    • Get serious about it. I block google add services at my firewall by IP ranges. Works great too. Less adds, faster page loads.

      • I’ve tried this with Google and also with Facebook.
        Do you have a place where those IP ranges are listed?
        Whenever I find them myself, they’re out-dated.

        Thanks

      • Whenever I look up those ranges, I get ones that are out of date for Google and Facebook.

        Do you have a good source?

        • I don’t have a source. It’s been a while since I’ve done it but, hit a page with a bunch of Ad Choice, and other adds. open a command prompt and do netstat -an
          Take some of the IPs and put them in a Who Is tool like abuseipdb.com, once you identify some of them, try high and low IP numbers, they tend to own large ranges. Then you can block subnets. I would be seriously surprised if someone doesn’t have a list. Maybe even goog, as they would have a list to White List for their services, that can be Black Listed lol.

  8. This “we have a form” statement is like a corporation on Twitter asking you to DM them. If you use their form to report sabotage, you’ll be talking with a bot or get no reply at all. And forget about trying to call them, this top-5 most profitable company that prides on “doing no evil” doesn’t offer phone support for AdSense. This is exactly what makes these extortion schemes thrive.

    • John Eight Thirty-Two

      Google’s motto isn’t “do no evil”. It’s “don’t be evil”. Not the same thing at all.

    • Yeah, that’s pretty much what I commented on earlier. You don’t contact Google about Adsense, Google contacts you, and only to sell you more Adsense. So it’s the perfect attack vector for extortion because once the blackmailers hit you there’s no comeback.

  9. Who is stupid enough to pay blackmail like this. Victims are supposed to take the extortionist’s “word” that they will stop after payment?

    • Well considering large ad sites like Adsense and Facebook Ads provide no official avenue to report false bans, a lot of advertisers would feel they have no choice but to pay it. Keep in mind, large volume advertisers on Adsense often generate 6 figure revenues per day. A $5,000 extortion payment is negligible when it means you can continue making that much revenue uninterrupted. It’s a tough situation. You could pay and they go away or you could pay and then they demand more and more.

      • Tired of all the scammers

        “Keep in mind, large volume advertisers on Adsense often generate 6 figure revenues per day. A $5,000 extortion payment is negligible when it means you can continue making that much revenue uninterrupted.”

        “It’s a tough situation. You could pay and they go away or you could pay and then they demand more and more.”

        That’s the problem, “more and more”. Soon every scammer out there hears that you paid the ‘fee” and they all jump on the bandwagon for the free lunch you are offering. Now you’re paying 6 figures everyday to the scammers.

        I’d rather deal with Google and once they are aware of your problem, they can implement a fix. Maybe Google can one up the scammers, they could offer, for a fee, immediate direct service to them for AdSense users who let Google know of the ransom threat.

        The scammers lose out on the money, the users of the ads only lose a little money to Google, Google increases its revenue at the expense of the scammers. Scammers fume and eat chicken bones for lunch, no filet mignon, ah, pooorrr scammers.

  10. This remembers me the story of the IPS I piloted which blocked the DNS server after a little bit of IP spoofing.

    -> Plan and adjust every security measure carefully or it will potentially target yourself

  11. The extortion sounds like mafia nonsense, run through Google translation. It’s obviously an empty threat.

    “that’s a nice store you’ve got, it would be a shame if it was damaged.”

  12. will turning on “I’m under attack” by cloudflare help?

  13. Lets what action will take on this.

  14. Something similar happened to my organization’s Google Drive for Business. A malicious individual was able to temporarily suspend our access to Google Drive by submitting false DMCA claims for all of our publicly shared files. It took over a month to get everything restored, with it being near impossible to get ahold of anyone at Google. Keep in mind this is a service we pay for. Now the same individual is threatening to do it all over again and we have no idea what to do considering Google is basically unresponsive.

    • One of the first things I do when evaluating a vendor is call their support line, if their support sucks – there is no point to doing business with them. Move to a better service.

  15. Sharing the scams makes all of us that much safer. Thanks

  16. Your site is NOT mobile friendly. Can not properly read your article. I bet it’s a good one but most people who find rhis via their phone won’t know..m

    • Brian Fiori (AKA The Dean)

      Joe, I almost always read this site on a mobile device. I’ve never had an issue with it. Not sure why you find it so challenging.

      For what it’s worth , I request the desktop version (full site). Works great.

      • I’ve got to agree with Dean’s assertion. This site is simple to use and read.

        I appreciate that this site appears the same regardless of the device I use, regardless of the screen size, and with/without javascript. It loads nearly instantly, too, because it’s unburdened with a ton of mobile rendering scripts.

  17. “Pay the Danegeld, and you will never be rid of the Dane.”

  18. I wonder, but how do they know to which email is associated the web pages that send the emails there

  19. This website is impossible to read on mobile. Isn’t even the basic responsive.

  20. Adsense has become a joke. Its impossible to start a new website with them. I made an adsense account about 2 years ago and I was earning $500 monthly fairly easily. Then my life took me in a different direction and I decided to close my account and once my life became less hectic I would start using it again. That day came about 3 months ago and I earned $300 first month and then the next month about $270. My traffic was picking up and then bam my ad serving was limited for 30 days it was a ling hard money less 30 days then on the 31st day they removed the limit on my ads and I was so relieved because I had no other way of earning because I had given up my 9 to 5 job to work for myself in this wonderful field and 2 more days later they banned my account. It should be illegal for them to do this to their hard working publishers. I mean people are giving up everything to try to make this work and they cant even show you a hint of why they banned you. This is wrong.

  21. As others have said good luck getting some response out of Google.

    Due to their massive dominance over the advertising market it’s not like an ad buyer can walk down the road to another supplier.

    Well past time to break them up (and Facebook while you’re at it) as things stand online advertising is at the Standard Oil, circa 1890, stage. I wonder which politician is brave enough to try ?

  22. The best thing to do is to use a tool to avoid suspicious clicks!

  23. Best thing to do is to protect yourself from invalid traffic before it becomes a problem. Limit your risk and exposure – escalated.io

  24. Answer: Unite, start a petition, STOP using google and start making changes now. If we all grouped together now and focused on a serious change it would happen!

    Tell you what, if you guys were serious, and actually wanted change (not just talking) I started a website for nonprofits and cause-related groups for something just like this. I just opened the doors to join now. Still in Beta mode but its a replica of Fac-ebo-ok. I dare you to change the world for the better. its possible – caused.us

    I know lots of Developers that would come. We could even start our own search engine and have a system put in place where its not just one group or company making decisions. But we must start somewhere. Give me 2 days max to update new security on the site, until then I will open the doors so youj can see what Im talking about… – caused.us

  25. Google will not to anything. Google will just ban as usual. I’m mid publisher with 30 000 visits a day on legit websites and some android apps and I’ve got adsense/admob permaban for pub-id code in NOT MINE android apps.

    Google just banned me because Google does not care about decent developers.

  26. Thank you for this information. I was getting decent traffic from google on my travel website but suddenly google banned my account for invalid clicks will you please tell me how to recover my google adsense account back?

  27. Thankfulness to my father who shared with me about this blog, this webpage
    is genuinely remarkable.

  28. Hello team,
    I’m a freelancer and web-security researcher,
    I have found a vulnerability in your website.
    Kindly get back to me by my email address so I can report the issue briefly .

    Thanks.