Hacker Scheme Threatens AdSense Customers with Account Suspension

Scam threatens to flood sites using Google’s banner-ad program with bot and junk traffic if owners don’t pay $5K in bitcoin.

A new e-mail based extortion attack threatens users of Google’s AdSense banner-ad program with creating online behavior that will warrant them an account suspension—perhaps a permanent one–from Google if they don’t pay the attackers in bitcoin.

The scam—revealed in a post by security writer and researcher Brian Krebs on his blog KrebsOnSecurity—demands $5,000 worth of the cryptocurrency in return “for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account,” Krebs wrote in a blog post.

“In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate,” he said.

AdSense is a program that website publishers use to serve targeted banner ads to their audiences, with Google providing ad administration, sorting and maintenance.

Krebs said he said discovered the scam from a reader who maintains a number of sites that receive what he characterized as “a fair amount of traffic.” The reader received an email that began by quoting from a message an AdSense user might receive from the program’s automated system if it detects a site is violating the program’s terms by seeking to benefit from automated clicks.

While at first the reader in question dismissed the message as baseless, he noticed in a review of his recent AdSense traffic statistics showed that detections in his “invalid traffic report” from the past month had indeed spiked, Krebs noted in his post.

The message goes on to threaten the reader with a vow to flood his or her site with a “huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation–a nightmare for every AdSense publisher,” according to the post.

“Also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site,” the attackers wrote in the message.

The attackers also warned the potential victim that while he will see a brief increase in ad revenue from the targeted site, the AdSense algorithms designed to detect such activity as fraudulent will soon catch on. This will result in the placement of an ad-serving limit on the victim’s publisher account, and advertisers will receive refunds of the site revenue, according to the scam.

The attackers also vow that even once a ban is lifted, if the user doesn’t pay, they will flood the site again, “which will lead to second AdSense ban that could be permanent!” they warn in their message to the reader.

One security researcher referred to the attack as “an evolved form of DDoS attacks” aimed at individual website owners rather than the usual targets of these type of attacks—namely, large corporations.

Javvad Malik, security awareness advocate at KnowBe4, said in an email to Threatpost that while there doesn’t seem to be enough evidence prevented to know if the attack is indeed a serious one, it does seem within the realm of “the technical capabilities of many criminals, particularly with the large number of IoT devices that get continually compromised and added to botnets,” he said.

“We’ve seen variations of these over the years, and they will continue to evolve,” Malik said, adding that’s it important for people “to not give in to such demands,” and contact Google instead with any worries or evidence of suspicious behavior.

Indeed, Google already seems aware of an increase in these threats. The company recently said it is enhancing its AdSense defenses by improving the systems that identify potentially invalid traffic—which the company defines as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources”–or other high-risk activities before ads are served, Krebs noted in his post.

When he contacted Google, the company declined to discuss in specifics the attack outlined in the post. Instead, Google issue a statement suggesting it seems like a “rare” case of attempted sabotage, behavior against which the company has detection mechanisms in place, Krebs wrote.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles