Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks & eWhisper & skibum

Message Too Old, No Replies

A Detailed Look at Click Fraud.

How to Identify it and Adwords Criticism.

2:13 am on May 6, 2005 (gmt 0)

New User

10+ Year Member

joined:Aug 13, 2001
votes: 0

Over the past few years, the companies I run have paid Google Adwords and the Goto/Overture/YSM operations over $500,000 in CPC fees. In those years, I have had several very expensive cases of click fraud occur. The total damages are probably some where are $20-50k total.

Not bad considering the amount of business the Adwords program has generated for my businesses. However, the trend is getting much worse. During my first year on Adwords I did not even have one suspected case of overt click fraud.

Lately, it's been getting really bad. Hardly a month goes by without, at least, a minor case of it. It's getting to the point that I'm letting minor cases slip by because of the time and energy it takes to follow up on them. I've essentially set a threshold below which it's not worth my time to investigate.

However, every time I have followed up I have been met by a very defensive staff at all three of the major brokers: Google, Overture and FindWhat. Below is a glimpse into the incredibly frightening world of the Adwords advertiser.

This is an actual email exchange between me and several Googlers. I chose Google to highlight this issue because Google is the organization, of the three, that I respect most and expect more of.

A brief intro:

In the early mornings of the 17th and 19th of April 2005 I received tens of thousands of adwords hits within a couple of hours on a term that has an average of 10 clicks per day. On the 17th I caught it within a few hours and put the ad campaign on hold for a day. On the 18th, I took the campaign off hold and experienced the same thing the morning of the 19th.

Total damages almost exactly $200 (about $50/hour). Here is the email exchange between me and a Googler. I have removed anything that might identify the Googler or my business and have cut the starting block off the IP addresses as well as truncating the log that I supplied to Google as proof of the fraud.

In this case, the fraudulent clicker was a real hack who didn't know enough about the system to disguise his click spam from a vigilant webmaster, otherwise, I would just have to pay for the clicks even though I know that term is not that popular. However, even with the neophyte tactics he was using, it still got by the Adwords "filter" and I paid for them.

Enough chatter, here's the email exchange and evidence of "very bad things" at Google. I hope they will change the way they handle this or the CPC programs are doomed to the same kind of scandals we are seeing in the telecomm and insurance industries.


Tue, 19 Apr 2005 20:43:33 -0700 (PDT)
Original Message Follows:
From: <snip>
Subject: Re: [#<snip>] Invalid click activity
Date: Tue, 19 Apr 2005 20:43:33 -0700 (PDT)

To whom it may concern,

I am requesting a refund for all click throughs from the <snip> block that occured during the 17th and 19th of April in the <snip> ad group.

Contained in this email is an overwhelming amount of evidence that I have been clicked bombed probably by someone abusing the Adsense program.

Name: <snip>
Adwords Customer ID: <snip>

Evidence follows:

- The keyword(s) associated with invalid clicks.

The invalid clicks are coming through the content total in the <snip> Ad Group. So, the problem clicks are associated with one or more of those keywords

- The related URL(s) of ad(s) receiving invalid clicks.


- Suspicious IP address(es) from server web logs

IP and ISP
<snip>.9.101.23 <snip>.net
<snip>.9.101.30 <snip>.net
<snip>.9.101.98 <snip>.net
<snip>.9.102.60 <snip>.net
<snip>.9.102.142 <snip>.net
<snip>.2.184.145 <snip>.net
<snip>.2.184.234 <snip>.net
<snip>.2.184.29 <snip>.net
<snip>.2.181.83 <snip>.net
<snip>.2.76.9 <snip>.net
<snip>.2.173.89 <snip>.net
<snip>.2.173.239 <snip>.net
<snip>.2.181.59 <snip>.net
<snip>.2.181.133 <snip>.net
<snip>.2.25.251 <snip>.net
<snip>.8.81.167 <snip>.net
<snip>.2.175.187 <snip>.net

and several dozen other <snip> block at <snip>.net IP addresses.

All of these hits are only one file deep. All hit /index.html?google and do not stay long enough to attempt to download images. Length of stay until next hit by the same IP address averages about 0.5 seconds. They only hit /index.html?google with no calls for anything else until the next call for /index.html?google. They total to thousands of google click throughs in the half life 2 pc ad group in content match on the 17th and 19th of this month. Most of the clicks come in over just a few hours.
For instance, 90% of the several thousand clicks on the 19th were logged between 0400 and 0800 hours.

Attached is a .png pic of the graphical analysis of the following server log. Note the extreme outliers of page loads on the 17th and 19th of April compared to the unique hits.


<snip>.9.101.23 - - [19/Apr/2005:03:47:33 -0600] "GET /favicon.ico HTTP/1.1" 404 133
<snip>.9.101.23 - - [19/Apr/2005:03:48:01 -0600] "GET /index.html?google HTTP/1.1" 304 -
<snip>.9.101.23 - - [19/Apr/2005:03:48:59 -0600] "GET /favicon.ico HTTP/1.1" 404 133
<snip>.9.101.23 - - [19/Apr/2005:03:49:22 -0600] "GET /index.html?google HTTP/1.1" 304 -
<snip>.9.101.23 - - [19/Apr/2005:03:50:10 -0600] "GET /favicon.ico HTTP/1.1" 404 133
<snip>.9.101.23 - - [19/Apr/2005:03:51:23 -0600] "GET /index.html?google HTTP/1.1" 304 -
<snip>.9.101.23 - - [19/Apr/2005:03:52:56 -0600] "GET /favicon.ico HTTP/1.1" 404 133
<snip>.9.101.23 - - [19/Apr/2005:03:53:25 -0600] "GET /index.html?google HTTP/1.1" 304 -
<snip>.9.187.198 - - [19/Apr/2005:03:53:40 -0600] "GET
/images/gaming_pc_desktop_thumb.jpg HTTP/1.1" 200 6547
<snip>.9.101.23 - - [19/Apr/2005:03:54:20 -0600] "GET /index.html?google HTTP/1.1" 304 - - - [19/Apr/2005:03:57:43 -0600] "GET /favicon.ico HTTP/1.1" 404 133
<snip>.9.101.23 - - [19/Apr/2005:03:59:06 -0600] "GET
/cgi-bin/liveadvisor/status_graphic.pl?graphic_nossi=1 HTTP/1.1" 200 4047
<snip>.9.101.23 - - [19/Apr/2005:03:59:58 -0600] "GET /favicon.ico HTTP/1.1" 404 133

The log excerpt above is unedited except for where noted.

I received an email from an Adwords staffer. It is listed below. I have snipped his name and mine to stay in line with the WebmasterWorld policies.

AdWords Support wrote:
Hello <snip>,

<paraphrased: eWhisper>

Our investigation concluded that:
1. Your additional distribution came from the Google Network.
2. It's common to see larger distributions when using Google's search & content networks.
3. It appears that some of the invalid clicks came from the content network.
4. You should receive a credit at the end of the quarter to your account.


The Google Click Quality Team



This is the first time I have ever had a rep respond that this was definitely invalid clicking. Even with server logs showing the evidence, this is the more forthcoming I have seen any of the three major CPC programs be.

However, note that is a very general email committing to nothing. It does not mention how much I am owed, offers a credit (not a refund) at the end of the quarter and does not mention any efforts towards punitive investigation efforts to stop future cases from the same perpetrator despite the fact that they know what Adsense or Content partner these clicks came from.

Here is my reply:

Original Message Follows:
From: <snip>
Subject: Re: [#<snip>] Invalid click activity
Date: Fri, 22 Apr 2005 12:10:49 -0700 (PDT)


Thank you for your reply. The dollar value of the invalid clicks over the two days is almost exactly $200 (determined by subtracting invalid from valid IP addresses at the average CPC for that click as stated by the Google adwords "Content Total" line). I need to know how much your investigation determined would be refunded so that I can appeal it if it is not close to $200.

I also need to know why you have determined that the money will be refunded at the end of the quarter. The money was charged on a consumer credit card and can be returned to me much faster by filing a chargeback with my credit card company.

You have billed my company for money that you did not earn. I expect it to be refunded or credited immediately.

By the way, refunding at the end of the quarter sounds like Google is using fraudulent click income to inflate earnings reports. I know invalid and fraudulent clicking is very common as I was a partner is a search
engine marketing firm and have seen it total to over $100,000 in one clients account in one month. The total quarterly inflation could easily amount to 10s of millions of dollars. If the amount of invalid clicks
had totalled to $20,000 instead of $200 would the policy still be to credit (not refund) the funds at the end of a quarter? That kind of invalid billing could easily destroy a business. Perhaps the policy of
crediting an account at the end of a quarter should be reviewed before this becomes egg on Googles face.

Thank you for your time.



My point in posting this is to
1. Show what someone who is going to be promoting a business through a CPC prgram is up against
2. Maybe, just maybe, help get things changed a little faster

I am amazed that the same Google whos mission it is to "organize the worlds information" is the Google that claims not to be able to notice a massive spike in clicks all from the same IP or IP group.

Additionally, it is too difficult to prove click fraud with the PPC programs. Like I said above, of all the times I've tried to convince them of fraudulent event, this is the first they have admitted even hinted at a substantial refund. The others I have had to absorb as a cost of doing business in the PPC world.

What is most dissapointing about this episode is the policy for holding the money to the end of the quarter and then crediting the account so that it trickles back to the advertiser over time. That really scares the hell out of me. It means that even if I am vigilant enough to stop a click bomb within 24 hours (I go on vacation sometimes) I could end up with a 5 figure bill (meaning an overdrawn bank account) and lost sales due to no more money to fund Adwords driven marketing. I'm not sure if this is illegal or not. I'm guessing lawyers could probably argue this one either way. However, I know it's not ethical and does result in an inflated financial report.

With most than 70% of my hits coming from Google these days, I can't afford to get into a chargeback and potential account shutdown battle. I've become dependent on the hits that Google brings my businesses.

So, what do I do? What do we do? Not much really. I'm too busy running my business and monitoring my PPC accounts to do more than post here and let my fellows know how it's Buyer Beware at Google.


P.S. My apologies for any typographical errors. It's 9:13pm and I'm still at work. What a job we have, eh? =)

[edited by: eWhisper at 12:58 pm (utc) on May 6, 2005]

3:46 am on May 6, 2005 (gmt 0)

New User

10+ Year Member

joined:Mar 6, 2005
votes: 0

Thanks for laying out your case so well, Arachnid... As you say, beware... these attacks always hit on the first day of vacations!

The response you get must surely depend on how sophisticated the advertiser is at interpreting referrer logs, etc. Most probably aren't as savvy as you; a typical response for such spikes might be: perhaps there was an article on CNN or Newsweek that triggered a sudden surge of interest and resulting traffic to your site... maybe, but then why didn't sales surge as well?

It's like they say in my neck of the woods - where we have the highest rate of car theft per capita in north america - if your car was stolen it was your fault for not using a steering lock or other anti-theft device.

I'm interested therefore to hear from anyone out there who has implemented an API program that recognizes those spikes and is able to pause an adgroup before serious losses (Google credits) are incurred. Even if you don't take vacations and sit at your computer 24/7 it's pretty hard to spot those surges when you've got hundreds of adgroups spread across 25 campaigns. Are there successful monitoring products available on the market? How much do they cost?