A creative extortion scheme is threatening websites with revenue loss by unleashing bad traffic that activates Google's AdSense anti-fraud systems, according to Krebs on Security. First, a fraudster threatens to flood the publisher's site with sketchy bot traffic. Then, Google's AdSense anti-fraud systems would pick up on that traffic and suspend the user's AdSense account. Naturally, all you have to do to make this problem go away is pay said fraudster $5,000 in bitcoin.
The emails have the kind of bad grammar and threatening tone that you'd expect. "Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly," it states. "This will happen due to the fact that we're about to flood your site with huge amount of direct bot generated web traffic with 100 percent bounce ratio and thousands of IP's in rotation -- a nightmare for every AdSense publisher."
Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!
The message clinically states that Google will likely place an ad serving limit on your account and refund advertiser revenue. Once the ad ban is lifted, they'll "flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!" according to the email. The bad guys are no doubt hoping that publishers will just pay up rather than seeing their ad revenue go up in smoke.
The unnamed recipient of this email thought it could be a bluff, but it's easy to see how a scheme like this could work. Google is very touchy about fraudulent clicks designed to increase ad revenue, particularly coming from "automated clicking tools or traffic sources," aka clickbots. As such, it recently announced a crackdown on such fraud.
Google is aware of issues around ad extortion, though. "We hear a lot about the potential for sabotage, it's extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding," Google told Krebs in a statement. It advised websites to not engage fraudsters and to communicate "any concerns about invalid traffic."
However, as many publishers know, it's notoriously difficult to contact a human inside Google about AdSense issues. If there's a problem, they often only hear about it after Google has already taken action -- and the appeals process can be difficult, long and frustratingly opaque.