Of course we both totally overlooked the valid point that the PUB-ID would surely be checked back against the originating site.
The 'Allowed Sites' feature of AdSense at least stops your ID being used on sites that you don't control.
But if a user's machine and/or brower has been taken over then it can send any data up the wire to Google that it likes. There is nothing especially for Google to check against, at least until the money involved is big enough to notice...
[edited by: DamonHD at 12:45 am (utc) on Oct. 31, 2007]
The 'Allowed Sites' feature controls which sites your publisher identification number can be used upon but it does not stop another such number being placed on your sites.
Scumware, through changing these numbers on a probably random basis (for example, one in ten ads), would function without a problem on a website. Remember this isn't something Google can see happening, as Google doesn't have the scumware and is unlikely to install it just in case.
This thread poses a bigger question: how could we detect scumware? Perhaps the first step is to consider points-of-interaction with scumware which could allow such an action. Here are mine:
1: Inserting or modifying any .js coming back from Google Adsense during transfer
2: Editing the embedded code on the page during transfer
3: Executing something post-load to edit existing values
1) Google should be able to recognise an adunit call for a given publisher ID not matching the publisher ID in the clicks which come back.
[edited by: vincevincevince at 1:51 am (utc) on Oct. 31, 2007]
Something like that would be easily detected by Google. Think about it, a new account accruing money from sites identfied with a wide variety of other websites. Footprints don't get any bigger than that.
Of course, the scumware could potentially edit http_referer and the location.href details going back to Google to make it appear that both the ad units and the clicks were on the scumware controller's website.
Well sure, in that case it could fake everything and never need to actually show the ads at all.
I agree with MB - this is Google's problem, and after so many years monitoring AdSense they could almost certainly detect this sort of thing easily.
The short answer is - yes it can be done.
I posted on the thread here [webmasterworld.com] about something not right on my machine a while back. I never closed out the thread but I did find the problem. It ended up being a toolbar I installed that promised to "speed up the web". I usually try everything and then remove the programs but this one I left on for a few days. Fortunately for Google it is not a popular toolbar today.
What was happening is the URL's for AdWord ads were being rewritten to the one you see so that when you clicked them you went straight to the advertisers site bypassing the Google accounting system.
My guess is that if a URL can be changed then changing a publisher id could be done also. The only problem is that the spike in earnings for the newly placed id would most likely set off a trigger at Google. Not allowing clicks cannot be tracked so Google just stops making money...and I'm guessing the toolbar would trigger something eventually also.
Trying to answer everyone:
I didn't think this would "stir up" enough interest even though I wasn't tongue-in-cheek originally, just merely skeptical
|The 'Allowed Sites' feature controls which sites your publisher identification number can be used upon but it does not stop another such number being placed on your sites. |
Yes this seems to be a "grey" area. How much protection does it afford? Initially, on reflection, I thought "no chance. Now I'm not so sure.
|Scumware, through changing these numbers on a probably random basis (for example, one in ten ads)... |
I suspect they don't [if they do exist] would need to do that unless they had multiple accounts Then again these people aren't some "smart" 14 year old kids, they're usually "sophisticated" East Europeans with former KBG connections. We're putty in their hands - IMHO. They'd have 100's of accounts.
|Something like that would be easily detected by Google. Think about it, a new account accruing money from sites identfied with a wide variety of other websites. |
As far as I know, the "scumware brigade" from the early 2000's were extremely sophisticated. I think they were actually unmasked purely by accident in an unrelated issue and it took Amazon and others, months if not years to become pro-active.
As justageek said:
|The short answer is - yes it can be done. |
Now how real is this threat? Given the AdSense billions at stake, these turkeys can throw $millions at the problem and to say it's never been considered or attempted by anyone is naive in the extreme.
I'm somewhat less tongue-in-cheek now.
Risk of someone TRYING to do it: 100%. Risk of such an attack yielding a significant sum of money: probably nil.
I agree with martinibuster and justageek that Google has plenty of tools that help them identify anomalous traffic. In addition to the information sent directly from the browser, Google also has access to statistical behaviour patterns, conversion data, analytics data, toolbar data, its own search engine/spider data, registry data, etc. I'm not going to get any more specific than that, as I have no interest in helping the bad guys fine-tune their attacks.
I was going to write a detailed theory on how the swap could be done. I decided not to because I don't want to give the parasites any extra ideas (Although a lot of people have already thought of ways to do it)
Anyway, the key to preventing fraud is google's ability to determine if a click was real. They still haven't cleaned up the MFA situation. A whole bunch of semi expendable MFA accounts would make a great place to launder clicks if you can generate or steal them. Sort of like the way the mafia uses car washes to launder money..
If you want detailed info on how scumware works, check out Ben Edleman. His writing style isn't the most exciting but it does give a lot of detail exactly how scumware works.
|I decided not to because I don't want to give the parasites any extra ideas. |
Para-site is a very good word for this, etymologically speaking. Outlining possible means of invasion is important; the parasites have spent a lot of time thinking of devious methods and anything you said here would serve only to give the rest of us a jump start on avoiding them.
Somewhat off-topic, but consider what would happen if G decided to make the 'allowed sites' feature mandatory: all adsense publishers must use it or they get no credit. Now, the above-described scumware would be useless, because their IDs wouldn't be allowed on the sites in question :D
Personally, I'm betting that after a while, G will require all publishers declare their the sites on which they intend to use their ID.
Don't buy it...period! I was there as a beta tester for Google, this is simply an extremely badly implemented, untested and unproven data push.
No more, no less. I've seen bad data pushses/AdSense screw-ups in the past and this is the mounmental FUBAR of them all!
The FACT that no one is receiving any response from them indicates that they KNOW they have a major problem.
Unfortunately I am beginning to feel that inter-governmental observance of this incredibly highly influential monster may be required.
Heh? Am I turning Chinese?
Doubtful, however are they being screwed-over by something totally out of their control?
Why? Just why do they do this?
Because they can. :)
We get it already. You weren't hit by smart pricing, it was a "bad data push" whatever that is. Unfortunately you posted this latest missive in the wrong thread.
|For me I don't believe it's possible with AdSense but nagging in the back of my mind.... |
Seen it quite alot, especially with "free proxy software" downloads and even online proxy services. They either strip out the adsense ads and put their own in or just alter the publisher ID.
|Something like that would be easily detected by Google. |
Most certainly ... but when has Google "knowing" about something always resulting in Google "doing" something about it?
|Seen it quite alot, especially with "free proxy software" downloads and even online proxy services. They either strip out the adsense ads and put their own in or just alter the publisher ID. |
And the toolbar that bypasses the AdWords/AdSense ads does so through the DOM so it's very easy for anyone to do.
This is one of the troubles that Google will always have to face. It's a $200 billion dollar house of cards when any kiddie hack can stop their revenue generator dead in its tracks with a few lines of JS.
I remember that a few years back there was a software hacking the affiliate clicks and orders and making loads of money while the affiliates income stayed low.
Seems they would catch the clicks in transmission, strip the affiliates code and replace it with theirs ON ITS WAY to the destination.
Probably back by now.
This is up there with getting hit by lightening. I can't worry about it.
If I were a scumware developer, I would never think about replacing the pub-id on ads in other sites. I would get caught immediately.
This would be my strategy:
Develop a site that (mediocrely) ranks for thousands of minor keywords. For example, say I rank on page 4 for "michigan used cars"
Then, develop and somewho get to spread a malware that:
1) opens a (somehow hidden) IE window
2) goes to www.google.com
3) searches "michigan used cars" (with a random keyword rotation)
4) searches through SERPs until my site is found
5) clicks on google SERPs to get on my site
6) randomly navigates a few pages
7) just 5% of the times: click on Adsense ad
8) keep browsing the "target" site for the ads to simulate interest.
That's what I call the "perfect crime" of click frauds, mimicking a human user in all details: my site will have a nice organic (?) traffic, and thousands of hits, users sent to my site directly by google (the most kosher of them all!) etc. etc.
There's one only solution: Google will get in the antivirus field.
Exactly as when Urchin was bought by Google to give its product away for free: they paid a few million dollars just get in the logs of thousands of server to better monitor traffic patterns (imho) for fraud detection purposes.
Exactly as when they spent a few other milion dollars to spread the google toolbar, so that they have a "client-side" view of a reasonable sample of your users, again (imho) for fraud detection.
What will be the move? who knows... Perhaps they might buy a solid but minor antivirus product to give it away for free (bye bye Symantec), or perhaps sponsor an open-source antivirus project or something like that.
I think the malware-for-adsense risk is a real threat for Google's main asset, and that in a not too far-away future they'll have to deal with it.