An email-based extortion scheme is demanding bitcoins from website owners who serve banner ads through Google’s AdSense programme, reported security researcher Brian Kerbs. Perpetrators of the scam threaten to flood the publisher’s ads with malware and junk traffic, forcing Google’s automated anti-fraud systems to suspend the user’s AdSense account for suspicious traffic.
Google’s algorithm spots bot-generated ad traffic, lists them as fraudulent and places an ad serving limit on the publisher account, refunding the revenue to advertisers. After a temporary suspension, usually for a month, AdSense lifts the ad ban. The perpetrators threaten that if this happens, they will flood the site again with bad quality web traffic, which will lead to a second and permanent AdSense ban.
The criminals behind the scam demand bitcoin worth US$5,000 (£3,900) to forestall the attack.
“In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate,” wrote Kerbs.
The scam follows Google’s recent crackdown on invalid traffic. Google AdSense defines invalid traffic includes any clicks or impressions that may artificially inflate an advertiser's costs or a publisher's earnings. It includes automated clicking tools or traffic sources, robots, or other deceptive software.
“Clicks on Google ads must result from genuine user interest, and any method that artificially generates clicks or impressions is strictly prohibited by our Program policies. If we observe high levels of invalid traffic on your account, we may suspend or disable the account to protect our advertisers and users,” said the AdSense guidance.
“Additionally, if we are unable to verify the quality of your traffic, we may limit or disable your ad serving.”
Google AdSense is not the only technology service whose anti-fraud systems are regularly abused by cyber-criminals, commented ImmuniWeb CEO Ilia Kolochenko.
“For instance, in some social networks, an account can easily get banned for the influx of fake followers, and extortion of popular accounts is on the rise. Worse, it is extremely time-consuming to get your account unblocked, and virtually impossible to recover any loss of revenue caused by a block,” he said.
"Threats to flood websites with garbage traffic are perfectly feasible, being very simple and cheap. Most likely, such attacks will indeed trigger some problems with Google Ads.”