A new extortion scheme targets users of Google’s AdSense program.
The scam threatens to flood a website with bogus traffic until Google suspends the site’s AdSense account unless the owner pays US$5,000 in bitcoin to avoid or stop the attack, security blogger Brian Krebs reported Monday.
The grifters appear to be exploiting a click-fraud crackdown Google launched last summer.
“This year, we’re enhancing our defenses even more by improving the systems that identify potentially invalid traffic or high-risk activities before ads are served,” Andres Ferrate, chief advocate for ad traffic quality, explained at the time.
“These defenses allow us to limit ad serving as needed to further protect our advertisers and users while maximizing revenue opportunities for legitimate publishers,” he wrote.
AdSense Nightmare
Krebs, a former Washington Post reporter, published portions of a ransom note provided to him by a reader of his Krebs on Security blog. In it, the extortionist warns the reader, who operates several websites, that he soon would be receiving ominous messages about his AdSense status.
“This will happen due to the fact that we’re about to flood your site with a huge amount of direct bot-generated web traffic with a 100% bounce ratio and thousands of IPs in rotation — a nightmare for every AdSense publisher,” the note declares.
“More also,” it continues, “we’ll adjust our sophisticated bots to open, in an endless cycle with different time duration, every AdSense banner which runs on your site.”
Although the reader was skeptical of the threat, Krebs noted that when he checked his AdSense traffic statistics, they showed invalid traffic to his sites increased substantially month-over-month.
A Krebs reader writing in the comments section of the blog explained why suspension of an AdSense account would be a nightmare: “It’s actually a very effective threat, as anyone who’s ever worked with Adsense will have noticed it’s more or less impossible to contact anyone at Google about problems with this,” wrote Dave.
“They’ll contact you to sell you more stuff, but if you try and contact them, you get lost in a maze of web pages pointing to more web pages, none of which contain any way to contact them. Given that there’s no means of recovery, I can see that the victims would take paying up as the easier option,” he continued.
“That’s exactly what we did with a billing error,” Dave added. “It was so hard to try and get it resolved that we just paid Google to make it go away.”
Classic Sabotage Threat
The case sounds like a classic threat of sabotage, where an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory, Google said in a statement provided to TechNewsWorld by spokesperson Suzanne Blackburn.
“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the company maintained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”
Google noted that it has a help center on its website with tips for AdSense publishers and a contact form for publishers to use if they believe they are the victims of sabotage.
“We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties,” Google advised.
“If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed,” it said. “We have extensive tools and processes to protect against invalid traffic across our products. In fact, most invalid traffic is filtered from our system before our advertisers and publishers are ever impacted.”
Framing the Good Guys
Google has the resources to address this problem if it wants to, observed Sky Cassidy, CEO of MountainTop Data, a Canoga Park, California-based provider of data services to B2B marketers.
Google has a way to identify fake clicks, he explained, although in the past, the person cultivating those clicks usually was the AdSense account holder.
“They would be trying to generate more money with the fake clicks,” Cassidy told TechNewsWorld.
The scheme described by Krebs is a novel one, he continued, because the schemers are trying to frame AdSense users and make it appear they’re using their accounts for fraud.
“In the past, the schemers were probably being hired by AdSense account holders to commit ad fraud. Once Google shut that down, they decided to do it to people and make them pay not to do it,” Cassidy speculated. “They’re taking their tools, pointing them at legitimate people, and making them look like the bad guys.”
Before Google cuts off an AdSense account for abuse, the company should determine the source of the abuse and not assume the account holder is at fault, he suggested.
“If an AdSense user is attacked and gets an extortion email, they should be able to forward the email to Google and say, ‘This isn’t me,'” Cassidy said. “It’s going to take a little more work on Google’s end, but luckily they’ve got billions of dollars so they can do it.”
Tough Talk, Little Action
The AdSense extortion scam is similar to classic Distributed Denial of Service shakedowns, noted Jerome Segura, director of threat intelligence at Malwarebytes, a cybersecurity software maker based in Santa Clara, California.
In a DDoS attack, the criminal floods a site with bogus traffic. That prevents it from functioning. In the case of an e-commerce site, that means lost revenue, as customers desert the site when they can’t land there.
“These scams typically work best on sites that have a sizable amount of traffic or in cases where an attacker is specifically targeting a victim,” he told TechNewsWorld.
The breadth of the AdSense scam suggests it may be more social engineering than action, Segura said.
“We saw this previously with sextortion spam campaigns claiming to have compromising pictures or videos of victims, when in reality attackers only had a password that had been exposed previously in a data breach,” he explained.
“Whether or not the criminals do follow up on their threat, victims are likely to be scared and pay upfront,” said Segura.
With traditional DDoS attacks producing dwindling revenues, criminals are turning to new approaches to reap ill-gotten gains, observed Deepak Patel, a security evangelist at PerimeterX, a Web security service provider in San Mateo, California.
“The new wave of business logic attacks are using advanced bots that can mimic human behavior and use hyper-distributed IPs to cause serious disruptions,” he told TechNewsWorld.
“As more commerce shifts online, attackers will find ways to monetize,” Patel added. “Automated threats should be evaluated as a business risk, and every digital business should account for them and deploy bot management solutions to protect their users and proprietary content.”