AdSense-Specific Ransom Attacks

Good morning, everyone!

Are you seeing an unexpected spike in your AdSense earnings? It’s most likely intentional click fraud with a side of ransom.

Last night I discovered a new botnet that uses an initial “warning” in the user-agent of the first request to a site, then parses the content of the site and submits “clicks” to your AdSense account.

A similar botnet was discovered last month that used Firefox 27 as it’s user-agent. Blocking Firefox 27 is very easy: it’s very outdated and insecure, has a built-in updater, and it’s users should have been forced to upgrade by now. However, this new variant of that botnet no longer uses Firefox for it’s user-agent. Well, not ONLY Firefox.

Only the initial request from the botnet will send the ransom message as it’s user-agent string. If you don’t view your logs you might never realize you’ve fallen victim to their attack. This will be quickly followed thereafter by dozens or even hundreds or thousands of requests that parse random page content and “click” the AdSense ads. After the first request the botnet will use random legitimate user-agent strings, which makes it impossible to block on user-agent alone. This is designed to skew your AdSense click ratio via intentional click fraud. Even though you, as a publisher, are not directly involved in the click fraud, Google may punish you for the click fraud by terminating your publisher relationship with them.

DO NOT PAY THE RANSOM! As with all blackmail, paying the ransom would only encourage further attacks against you. A great example is the series of ransom-ware Trojans that hijack your content and encrypt it so that the user no longer has access to their own files. A warning appears demanding $x be sent to the attacker, and if you do send the money a second (and subsequently third, fourth and even fifth) amount is demanded, while never actually releasing your content.

We’re acting quickly to block all identifiable instances of the click fraud/ransom attacks, but you should take the time to personally contact Google to let them know that you’re aware of the new botnet that may be attacking your sites. This will ensure that you are not blindsided by Google should they determine that your account is manipulating clicks. Google has exactly one punishment for all slights: termination of your account. Don’t let it happen to you.


Shawn K. Hall

Subscribe To Our Newsletter
Sign up to receive notifications of our new posts.

Leave a Reply

Your email address will not be published. Required fields are marked *