Adsense traffic team should be aware of the problem by now. It looks like a widespread attack, which I notified them about. Give them a few hours to sort this out.

I will check my logs for 5.101.142.0/24

Possibly another candidate that is attacking people.

Let us compare the useragent. Here's what I found:

Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

Scary, woke to £900 pound over night. But only from 150 clicks, how are they doing that?!

it seems these bots are running few google search query with high paying ads, then they get all cookies in cookie jar , and when they reach on any site all they have is ripe high paying ads to feast on!

Ok, looks like the bot is using Firefox 27.

In my logs I also found out that average session duration for Firefox 27 users is: 00:00:02

You can try this:
RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* - [F,L]

This should take care of it for now until Adsense staff has fixed their backend

@SirTox - You could save time and aggravation blocking the entire XLHost CIDR rather than one partial at a time. It's less work for your server and you are highly unlikely to block any humans.

deny from 173.45.64.0/18

as well as

207.182.128.0/18

and

209.190.0.0/17

can be used to block XLHost from those neighborhoods.

A quick way to identify the bot is to go through all browser within Analytics and analyze the avg session duration. Any browser with 2 milliseconds should be considered a bot user.

I was also click-bombed on 2 sites with completely different niches the only thing in common is that they're both forums.

I was click-bombed by the following ips:

209.51.197.x
207.182.128.x
207.182.132.x
209.190.31.x
5.101.146.x
94.229.76.218
88.150.131.58
173.209.49.90
68.168.114.42

I decided to block the following CIDR address ranges on my server:

209.51.197.0/24 = XLHost.com Inc
207.182.128.0/19 = XLHost.com Inc
209.190.0.0/17 = XLHost.com Inc
5.101.144.0/21 = UK Dedicated Servers Limited / STA005-IP1
94.229.64.0/20 = UK Dedicated Servers Limited / STA005-IP1
173.209.49.0/24 = GTCOMM-2650
88.150.131.0/24 = RSDEDI-GPAANOOP / UK
173.209.49.0/24 = GTCOMM-2650
68.168.114.0/24 = GTCOMM-2650

90% of the attacks came from XlHost and STA005-IP1 entworks using different ip ranges so I do recommend to block the whole CIDR address range for this networks.

I was able to identify this attack because this bots leave the following signature on the webserver logs:

"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0)"

My adsense earnings went up around 300% because of this attack.

I already reported this to google; I hope they don't cancel my account...

Hope this helps..

[edited by: rveram at 7:07 am (utc) on Apr 20, 2015]

The amount of users using Firefox 27 is slim, so it might be a better idea to block the user agent as I described above.

But both ways together will make sure to completely block it.

Google wont block any accounts, because this is a widespread attack that they were unable to identify in time. This has been going on for 12+ hours. Admittedly it's a Sunday in the US and at the time I suppose not many admins are on duty.

Please where do i check to see if its a bot? im on GA and i just cant see anything strange

Audience => Technology = Browser & OS => Select Firefox

Now you should see subversions of Firefox

Check the average session length. This is normally above 1 minutes to 3 minutes but for bots it will be 00:00:02 or similar, very unrealistic, definitely not a regular user

Of course avg sessions depends on your site but even news site should have an avg session length of approx 30 to 40 seconds even when users immediately hit back many times

[edited by: oliversk at 7:21 am (utc) on Apr 20, 2015]

Thanks for the Firefox 27 advice. What do you know, all of my clicks so far for 4/20 are from Firefox 27. Letting my hosts know and we can move on from there.

Sure no problem, it was the first thing I could think of. You should ask your host to give you access to .htaccess files so you can modify it yourself next time

New day and the freak show goes on. When is Google going to repair this. The earnings keep flowing in at unrealistic pace.

I am realizing I am unable to fix this myself. I am thinking to let Google handle it as Monday unfolds. What to block? I don't know anymore. I have blocked some IPs yesterday and they provided a "temporary relief" but earnings still keep going up in an unrealistic manner.

Chrome's avg session is almost 2 seconds but when i checked service provider i saw xlhost.com inc whose avg session is also 00:01:54.

I have removed ads from my site now but this seems normal?

Have any of you made any significant updates to your site? There is a major SERP update going on at Google:
[googlewebmastercentral.blogspot.in...]

I have written to Google about this unusual spike and also sent an email to my account manager.
Will update in case anyone gets back.

I'm having the same issue with US and France and my earnings went up to 327% and my top paying websites on all different add units and channels the clicks seem even. Not just targeting one add unit like a click bomber would do. I think it's either an error on google's part or someone really hates google.

I am having the same issue. 300% earnings yesterday (sunday) compared to avg 7 days before. Lots of clicks coming from France, Russia, UK and Canada. blocked XL Host and some other hosts mentioned here but the clicks keep coming! hope google doesnt ban us?

Same here in UK - huge jump in CTR yesterday - but only on one site. Can't be real traffic - CTR is nearly 10x normal. Have reported it to Google via their online form.

Having had a bot-free Sunday my numbers were horrible, so horrible that it was my worst-ever UK day. Whatever happened to the traffic for my sites on 1st April is continuing at 50% however checking the SERPs it is not difficult to see why, they're not just appalling, they're a pathetic attempt to promote US businesses only.

Not sure what happened yesterday, but earnings were 156% up on seven days ago, I made three times as much yesterday as I've been earning in the last few weeks, though not sure why that happened.

Same here since yesterday, crazy earnings and only in one of my sites, reported to google

I have just response from Google stating that they are already aware of this problem and currently dealing with it.

Now while we are on hold, can we possibly create another thread where we can all start posting all discoveries related to AdSense SPAM hosts with their IPs, UAs and so on to help each other to somehow illuminate this problem and at the same time help others who are not aware of the problem at this point of time. Shared effort please.

[edited by: AlexB77 at 11:17 am (utc) on Apr 20, 2015]

I'm seeing a huge spike in earnings and CTR is up over 3%, which is great, but it seems like others are having the same "problem." I don't think this is a click bombing issue. I'm in the U.S. It's 6 in the morning. If this holds, today will be one of the best earnings days ever.

I agree with one of the posters that the problem comes through the Firefox browsers. Has anyone the code I can add to my htacces file to block only Firefox users? Or would you advice me to wait and have Google sort it out.

The problem is getting worse: yesterday I has a spike of about 250% in earnings in total, with a couple of 'false' high CPC clicks and now 4 hours in on the 20th I am at 1000% of what it normally is. My PV's are only up a bit and the problem comes from a small group of Firefox using bots(?) clicking on the cherries in the pie. How can they figure this out?

Please advice: block Firefox users, or sit out the storm?

Here it is @kireb

RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* - [F,L]

anyone know the agent block with nginx?

edit

if ($http_user_agent = "the user agent"){
return 403;}

[edited by: chalkywhite at 11:38 am (utc) on Apr 20, 2015]

Thanx AlexB77