Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Advertising Google The Almighty Buck The Internet

New Email-Based Extortion Scheme Targets Website Owners Serving Ads Via Google AdSense (krebsonsecurity.com) 16

Brian Krebs sheds light upon a new email-based extortion scheme targeting website owners serving banner ads through Google's AdSense program. "In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher's ads with so much bot and junk traffic that Google's automated anti-fraud systems suspend the user's AdSense account for suspicious traffic," writes Krebs. From his report: Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google's systems might send if they detect your site is seeking to benefit from automated clicks. The message goes on to warn that while the targeted site's ad revenue will be briefly increased, "AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent."

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate. The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his "AdSense invalid traffic report" from the past month had increased substantially.
"We hear a lot about the potential for sabotage, it's extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding," Google said in a statement. "For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems."

"We have a help center on our website with tips for AdSense publishers on sabotage," the statement continues. "There's also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed."
This discussion has been archived. No new comments can be posted.

New Email-Based Extortion Scheme Targets Website Owners Serving Ads Via Google AdSense

Comments Filter:
  • Seems like we need to get e-mail authentication up and running in order to prevent these scammers from hiding...

    • Or, let's require authentication before a viewer can receive ads. Not logged in into Google -> collapsed space where the ad would be. Would fix ad fraud nicely. :)

      • Google already has a cookie for anybody who touches Google or Google Ads, even if they aren't logged in. Problem here, the threat seems to be from a botnet that imitates legit users.

        • by rtb61 ( 674572 )

          The solution is easy, simply skip adsense and leave it to google to sort out the attack on it's services. Many company will find in short order the ads and not really worth it. Of course reality is, google will charge for those fake clicks and when your money runs out, claim suspicious activity but only after your money runs out.

    • by ls671 ( 1122017 )

      This wouldn't help in this case. On our systems, we have noticed a huge wave of perfectly authenticated emails coming from outlook.com. They even have a valid DKIM signature. This is an aftershock of outlook.com getting massively hacked last year or maybe in 2018, I can't recall and I am too lazy to check and provide a link, just search for it.

      They just send the emails from hijacked outllook.com accounts. It is still going on pretty strongly, I can assure you. Once the hijacked account get reported to outlo

  • Simple solution: (Score:5, Interesting)

    by DogDude ( 805747 ) on Monday February 17, 2020 @08:50PM (#59738072)
    Serve your own damn ads. Not only do A. you make more money, B. you can avoid this and other scams, but C. people will actually see the ads! It's revolutionary (War-era)! Somebody gives you money, and in return, you put their ad on your website! It's crazy but it's possible! (When I ran a successful commercial web site, I did this for years). No, it's not as easy as pasting some Google tracking codes on your site, but as with most things, you get out of it what you put into it.

    I give this mini-lecture to every web site that I come across that says that I need to disable my ad tracker. I also give it to everybody who wants me to advertise with them (through an ad network).
    • Actually, it's not that easy... if Google's too smarmy for you, try Commission Junction. CJ requires you "match" between a sponsor and your site, and you get to control which ad goes where.

    • by AHuxley ( 892839 )
      The big ad company might not like that due to privacy settings.
      Other ads are bad for privacy.
      Best to buy approved and secure ads from the big ad company.
      Their ads always show on their brand of free browser.
    • It is very hard to get someone to give you money, especially if they don't have any reason to believe your traffic data (or your too small to give the time of day). They would rather give the money to Google who has the capacity to detect fake traffic often enough you may be only wasting half your money.

      • by DogDude ( 805747 )
        What proof does anybody have that Google's numbers are accurate? Why would they be more trustworthy than a non-advertising company?
  • Won't that mean I can now pay hackers to artificially click the ads on my website to make me money and if I am caught simply tell Google that I was merely the victim of an extortion scheme?
    • Here's how what trying to scam with...

      1. Use a botnet to generate low quality clicks to a site's Google ads.
      2. Google reverses the money on those clicks, but accidentally takes away some legit clicks too.
      3. Site owner loses more than if they paid the ransom.

  • Much like the extortionists who target YouTubers and threatening with bogus copyright strikes unless a ransom is paid, I can't help but wonder who pays these ransoms really? What prevents 100 other people with an email account from doing the exact same thing? How is it not money thrown in the toilet? At least with ransomware you can review your computer usage habits and avoid having to pay again, so if the value of files locked is significantly higher than the ransom demanded it makes sense to pay.
  • Google claims to have support and appeals. In reality, not so much. I had an account get blacklisted, appealed repeated. It was very hard to reach anything other than a negative auto-responder. The humans we did eventually reach, couldn't figure out why we'd been banned. They turned us back on. Three days later, we were banned again. Tried again, eventually were told there was nothing they could do. They didn't know what was happening and they weren't empowered to overrule it.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...