homepage Welcome to WebmasterWorld Guest from 23.20.34.25
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Home / Forums Index / Google / Google AdSense
Forum Library, Charter, Moderators: incrediBILL & jatar k & martinibuster

Google AdSense Forum

    
Adsense Click Protection and Security Impossible/Possible
ronburk




msg:1350861
 8:06 pm on Jul 28, 2004 (gmt 0)

This is not an "AdSense dropped me, Google is bad" thread. I'm just looking at what Google can do technically to prevent fraud, and I can't see any way that Google is not incredibly vulnerable to a small number of people simply wiping out the value of AdSense.

My overview reasoning is this: spam has reduced the value of email, and has proven unpreventable. But the pain of spam is distributed across a huge population of users. Similar techniques applied to AdSense are likely also unpreventable, but the pain will be stacked up largely on one company: Google.

Most discussion of Google AdSense fraud has been about individuals terminated for alleged "fraudulent clicks". At this level, it seems that Google can protect itself fairly well. In the worst case, Google could simply apply an incredibly simple and unfair algorithm of: "if your clicks and income go up too much too fast, we'll terminate you". I'm sure they can create a better algorithm than that, but still it seems likely they have a technical defense for the individual cheater -- especially if they don't mind incurring some "collateral damage", and terminating a certain percentage of innocent AdSense customers.

But if you look at where the real fraudulent money has been made online, it has been with DDOS extortion. The recent case of Russian hackers (probably controlled by the Russian Mafia) getting arrested was news simply because it is so rare that the extorters get caught. These folks were telling Internet gambling sites to pay them some protection money, or they would start a distributed denial of service attack just before a major sporting/betting event. But hacker extortion has also been used against banks and other companies, with apparent great success, according to some security experts.

Let's say bad guy X is in the online extortion business, and he starts taking a hard look at Google and its upcoming cash infusion. If he's a competent bad guy, then X has at his disposal hundreds, if not thousands of zombie machines waiting to do his bidding.

It's important to understand that these zombies are not "like" real Google users -- they actually are the machines that belong to real Google users. They are at universities and businesses and homes, they have both static and dynamic IP addresses, they are both dial-up and always-on connections, etc. They have virtually no characteristic that distinguish them from the general population of computers that use Google services.

It's also important to understand that access to zombie machines is bought and sold on the black market, and such access is fairly affordable. Thus, bad guy X may only "own" a thousand zombies, but if his previous extortion career has paid at all well, he can afford to "rent" thousands more.

So bad guy X starts sending some anonymous mail to Google, saying "I can provide you with AdSense protection for the affordable price of $100,000 per month, which you need to wire to my bank account. Here's the account number for this month."

Maybe Google doesn't pay, so bad guy X says "Gee, I'm sorry you've decided to leave yourself so unprotected. I've heard on the street that bad guys are going to fraud-click the travel industry this month. I sure hope that doesn't happen to you!" Then he tells his zombies to start attacking Google ads placed by what he guesstimates are the top 10 AdWords customers for travel.

Can Google prevent this attack? I don't think so. A broad enough distribution of attacking machines becomes indistinguishable from real people. When many of them are dynamic IP addresses (e.g., lots of AOL customers) you can't block based on IP address. If the attacking algorithm is at all smart about frequency and click patterns, the attack should be indistinguishable from a remarkable surge of interest in researching travel options -- except that 10 big AdWords clients will find that AdWords has suddenly become a really lousy place to advertise.

If the attacker is really savvy, he'll demonstrate his ability once to Google, then add "I wonder what would happen to your stock price if the press understood such attacks are possible and have already been demonstrated?"

There's the conundrum I propose. I just don't see technically that the Google AdSense/AdWords infrastructure can protect itself from organized crime using distributed attacks. One can try to track down the attacker by following the money (the extortion payments), but that gets difficult when the attacker is in a country that is not particularly lawful and not particularly friendly to the U.S. And, of course, there is always the danger of an attacker whose motivation is not money, in which case there is no money trail to follow, no warning message, and no offer of immunity. It is not just the technical feasibility of this kind of attack that is so worrisome -- it's the affordability.

So, while webmasters talk about how scary it is to have their income reliant on Google AdSense, given that Google can jerk it away at any moment, I am really concerned that Google itself is reliant on income that can be jerked away by anonymous attackers. I hope that Google has some defense against such attacks, but I currently do not believe a defense is technically possible. I hope I'm wrong.

 

Paris




msg:1350862
 4:11 am on Jul 29, 2004 (gmt 0)

It would harm the advertisers -- not Google. In the near-term it would create a huge spike in Google's revenue because Google makes money on every click (which it splits accordingly with the publisher).

While bogus clicks would snowball and hurt Google eventually it would really only hurt the content publishers more because more AdWords sponsors would bypass the content and bid up the search keywords exclusively. So Google would still get its money.

I'm sure Google is actively trying to prevent anything like this from ever happening -- but if it does, the blackmailing hackers would be talking to a Google that would be laughing all the way to bank because they didn't understand the business model behind AdSense.

danieljean




msg:1350863
 5:09 am on Jul 29, 2004 (gmt 0)

Creating a 100% fraud-proof system might be impossible or so unusable that it would not be popular. What Google is probably doing is going after the most serious vulnerabilities, and trying to limit the overal amount of fraud.

It's quite possible too that G could use conversion ratios to better target and value various publisher's traffic. Fraud click would then be completely irrelevant... actually, I'd be surprised if this isn't one of the reasons they already use conversion tracking.

Swash




msg:1350864
 6:46 am on Jul 29, 2004 (gmt 0)

"Smart pricing"

nuff said.

MrAnchovy




msg:1350865
 6:51 am on Jul 29, 2004 (gmt 0)

While it's certainly a possibility, why do you think Google's ad programs would be the target?

Doesn't Yahoo make over $1mil/day on ad revenue... why aren't they or other similar companies a possibility in the scenario?

I'd tend to think that criminals would at least evaluate some type of risk-"reward" ratio... attacking someone like Google seems like a low chance of payment & a high chance of being tracked down.

Why not stick with the casinos & other mid-level sites that wouldn't garner as much publicity/attention?

Yeah it's always a possibility, and yeah it is eve a reality, but I can't help but think of all those 10pm news promos "What you don't know can kill you" type stories when I read the above.

Powdork




msg:1350866
 7:03 am on Jul 29, 2004 (gmt 0)

If Google were to block AOL IP's, that would only make the world a better place IMO.
Seriously though, your point is well taken. i never worry about getting dropped from adsense. i worry that someday these f#$%ing hacker/spammers are going to screw the entire internet up for everyone, including themselves. All they have to do is scare the online public about the safety of credit card transactions enough, and online advertising goes the way of the dodo.

jomaxx




msg:1350867
 8:29 am on Jul 29, 2004 (gmt 0)

Many many firms are theoretically vulnerable to this kind of blackmail. There have been several DOS attacks against major online companies in just the past 2 days.

I don't see what can possibly be gained by discussing the specifics of how to carry out such an attack, but I will say that I hope you're wrong and that nobody is really paying ransom to these bastards.

neo_brown




msg:1350868
 10:15 am on Jul 29, 2004 (gmt 0)

People certainly are paying money to these guys.

Leosghost




msg:1350869
 11:54 am on Jul 29, 2004 (gmt 0)

I always thought that discussing the precise methodology of hacks etc was against the tos ....
Especially giving out roadmaps ....albiet a little flawed.

richmondsteve




msg:1350870
 1:38 pm on Jul 29, 2004 (gmt 0)

ronburk wrote:
Can Google prevent this attack? I don't think so. A broad enough distribution of attacking machines becomes indistinguishable from real people.

Prevent? No. Identify and take appropriate action? Quite possibly. Google introduced smart pricing a few months ago, which theoretically can help mitigate the effect of such attacks, at least for publishers using the tracking code.

But smart pricing aside, I disagree that such attacks by default become indistinguishable from real visitors. If Google only looks at IP addresses, aggregate impressions and clicks, then you'd probably be right, assuming the attacker(s) just did a decent job spreading out traffic across non-unusual IP ranges and typical site pages following normal paths through the site(s). But I have every reason to suspect they can look at much more detailed statistics which given them the ability to recognize patterns and anomolies, should they want to. And if faced with large-scale and frequent attacks of a large magnitude and publisher and advertiser dissatisfaction they would probably want to. Between AdSense, AdWord, SE, and Toolbar data, Google has a lot of data available which would allow them to learn a lot about traffic levels (page by page), traffic patterns (time on page, pages per session, paths through site), referring pages, user demographics (IP, geography, OS, user agent), user behavior (time on pages, sites/pages looked at across sites), etc.

Without access to a site's raw logs or Google's own data it would be very hard to perpetrate large magnitude attacks that could not be discovered and dealt with by Google, should they want to allocate the personnel, systems and time to do so. And whether they want to or not would no doubt be decided as a business decision, whether economic or political.

My 2 cents.

caspita




msg:1350871
 2:08 pm on Jul 29, 2004 (gmt 0)

It would harm the advertisers -- not Google. In the near-term it would create a huge spike in Google's revenue because Google makes money on every click (which it splits accordingly with the publisher).

It will hurt Google in the long run of course and in the short term the publishers. I could say here that the hackers are smart enougth to not use the publishers for their porpouses (they, I'm sure, will try to get money from them also), I think for this kind of attack the could just go directly to the Ads from the SERPs, not hurting the small publisher who will have to pay less to be safe but hurting GG anyway.

While it's certainly a possibility, why do you think Google's ad programs would be the target?
Doesn't Yahoo make over $1mil/day on ad revenue... why aren't they or other similar companies a possibility in the scenario?

Why not? ... I don't think it will be a matter of the big/small guy .. or the Linux/Windows world .. if their interest is the money they will go for all of them, that's all.

I think we could remove the 'Google' name from this topic, it is valid for any ads program. But removing the name won't avoid to GG be the target.

lars




msg:1350872
 5:16 pm on Jul 30, 2004 (gmt 0)


Let's say bad guy X is in the online extortion business, and he starts taking a hard look at Google and its upcoming cash infusion.

Like Computer Programmer Arrested for Extortion and Mail Fraud Scheme Targeting Google, Inc. [usdoj.gov]?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdSense
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved