Pay or we’ll make Google ban your ads – cancer to safety

A new email-based ransomware appears to be making the rounds targeting website owners who run banner ads through Google Adsense Program. In this scam, the scammers demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems ban the user’s AdSense account for suspicious traffic.

Earlier this month, KrebsOnSecurity heard from a reader who runs several websites that are getting quite a bit of traffic. The message this reader shared began with a quote from an automated email that Google’s systems might send when they detect that your site wants to benefit from automated clicks. The message continues:

“Very soon, no doubt, the alert from above will appear on your AdSense account dashboard! This is due to the fact that we are about to flood your website with a huge amount of direct bot-generated web traffic with a 100% bounce rate and thousands of IP addresses in rotation – a nightmare for any AdSense publisher. In addition, we will customize our sophisticated bots to open any AdSense banner running on your site in an endless cycle of varying durations.”

The message goes on to warn that while the target page’s ad revenue will be boosted for a short time, “AdSense traffic scoring algorithms will very quickly identify such a web traffic pattern as fraudulent.”

“Next, an ad serving limit will be imposed on your publisher account and all earnings will be returned to the advertisers. This means that your website’s main source of income will be temporarily blocked. It will take some time, usually a month, for AdSense to lift your ad ban. However, should that happen, we have all the resources needed to once again inundate your site with poor quality web traffic, which could result in a second AdSense ban permanently!”

The message calls for $5,000 worth of bitcoin to thwart the attack. In this scam, the blackmailers likely assume that some publishers might see payment as a cheaper alternative to getting rid of their main source of income from advertising.

The reader who shared this email said that while he likely believed the message to be an unfounded threat, a review of his recent AdSense traffic statistics showed that the detections in his “Invalid AdSense Traffic Report” were from the last month had increased significantly.

This was also pointed out by the reader who asked not to be named in this story Article about a recent AdSense raid in which Google announced that it would strengthen its defenses by improving systems for potential identification invalid traffic or high-risk activities before showing ads.

Google defines invalid traffic as “clicks or impressions generated by publishers clicking on their own live ads” and “automated click tools or traffic sources”.

“Quite concerning, I think this group is just saying they are planning their attack,” the reader wrote.

Google declined to discuss this reader’s account, arguing that its contracts prevent the company from publicly commenting on a particular partner’s status or enforcement actions. However, in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic sabotage threat, in which an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to its inventory.

“We hear a lot about the potential for sabotage, but in practice it is extremely rare and we have put in place some safeguards to prevent sabotage from succeeding,” the statement said. “For example, we have detection mechanisms in place to proactively identify and account for potential sabotage in our enforcement systems.”

Google said it has extensive tools and processes in place to protect its products from invalid traffic, and that the majority of invalid traffic is filtered out of its systems before advertisers and publishers are even affected.

“We have a help center on our website with tips for AdSense publishers on the topic of sabotage,” the statement continued. “There are also a form We offer publishers the opportunity to contact us if they believe they have been the victim of sabotage. We encourage publishers to refrain from any communication or further action with any party signaling that they are driving invalid traffic to their web properties. If there are any invalid traffic concerns, they should let us know and our Ad Traffic Quality team will monitor and assess their accounts as necessary.”