I've had that happen a couple of times and Google was already aware of what was going on and, I assume automatically, discounted thousands of fraudulent clicks.

Whomsoever did it tried it across several different websites we have over a period of 7-10 days and then just stopped.

It never hurts to open the line of discussion with AdSense just to let them know you aren't the one playing games with the site.

Nothing wrong with a little communication, establish some trust, you never know where it might lead.

I would just comment out the adsense code until the attack is over. I think contacting AdSense won't make a difference. Google does not meaningfully interact with their publishers, so it's safe to assume they don't have a CRM for tracking the customer service interactions between Google and their publishers.

I would just comment out the adsense code until the attack is over. As someone already mentioned, Google has algorithms to handle the fraudulent clicks, i.e. Google knows how to wipe it's own behind without our help. ;)

[edited by: martinibuster at 7:21 pm (utc) on Feb 10, 2012]

I think you are always safe in proactively contacting a vendor to let them know something is happening that could impact the stats they see from you.

Thanks for the advice guys. Very much appreciated.

I thought we got out of the above the fold algorithm hell when traffic suddenly spiked up, only to see all of it come from Bangladesh and the eCPM correspondingly decreased to levels we've never ever seen before :o(

We've banned the relevant IP addresses and secured our databases. Hopefully it will stop soon

I would just comment out the adsense code until the attack is over.

This is what I would do.

Unless the attack seems to target Google Ads in order to get you banned... then commenting it might just be a temporary reprieve until you put them back on. Is it possible to change the Adsense account code to a dummy one so the ads still appear but no clicks are recorded?

Comment the ads out. Leave it a week and restore a few, see how it goes. These types of attack are unlikely to last for long.

Any information on the nature of the attack?

Sorry, I wasn't clear. By until the attack is over I meant by the time the situation has been put under control.

As for altering the code with a fake ID, I don't think the ads will show but most importantly I believe altering the code is an adsense policy violation.

@nomis ... looks like they were trying to bruteforce our wordpress administrator password.

Alika take my advice for better future, stop using plugins or platform like wordpress, Make a website out of raw html, Wordpress platform is highly insecure.Hackers love wordpress websites

You seem to have made an enemy - it's the second time in less than a year that you've been attacked.
[webmasterworld.com...]
Possibly someone wants to take out your site.

Perhaps a CDN service with security protection such as that offered by Cloudflare might help to some degree.

>>>You seem to have made an enemy

Not necessarily. It's a wordpress site, that's all it takes to become a target.

Last time I reported a click attack on one of my sites, my domain got banned from Adsense. So.. next time I wonīt report a thing. What bothers me about Google Adsense is not the automatic processes that monitor you account, but rather the human subjective view at the moment of reviewing accounts. Let's face it, human are machines continously making mistakes, when we think we are right all the time. Thatīs how I feel about the people reviewing Adsense accounts. How can I be sure they wonīt banned my domain "just because" they "think" is a threat? Are they well prepare to judge us?

@windslide ... That's what I fear actually.

But I did contact Adsense, but my contact referred me to the invalid traffic team. My first contact responded quickly (within the same day), but i haven't gotten any response from the invalid traffic team (2 days ago). I sent them some of the communications with our web host to show them the efforts we're doing to stop it

The attacks started a week ago and looks like we may have stopped it. I blocked the entire country where these IPs where coming from.

Our web host was just blocking the IPs accessing the site, which did not work that well. At one point, 95% of the traffic to our US-focused site was coming from this one Asian country.

The funny thing is that this site has 2 wordpress installs (blog + another section) and about 5,000+ in static html pages. Since these static pages (including homepage) are really ugly (went live in 1999, used Frontpage, never been redesigned), we've been trying to move them to wordpress to make the pages look better and give a better user experience.

@martinibuster - Will going drupal or joomla reduce the risk of attacks like this? Right now, one of the things we did was to password protect all our wp-login.php pages.

WordPress is no better nor worse than anything else, if you put the proper security in. (But that's a topic for the WordPress forum)

WordPress is no better nor worse than anything else, if you put the proper security in.

The thing is, WP and Blogger are somewhat aimed at n00bs. (No experience needed.) How many n00bs are going to know about security issues. Not many.

If the script is php based you could place the adsense code on its own php page and include some geo-location and ip filtering to the file before it is included. This may slow down adsense load time but will allow you to block the loading of adsense by those you filter... such as anyone loading more than x pages in y amount of time.

Then, in adsense, approve only your domains and sleep peacefully.

side effect: you'll compile a nice list of nasty IP addresses in the process.