Sadly, I'm firmly in the 'it's just another sound and fury public relations release' camp.
Google is constantly fighting botnets, they've regularly (sort of an annual PR parade the troops effort) given interviews and/or given a peek into the 'command centre'. And while I expect they've been winning every 'battle' - eventually - they are increasingly losing the 'war'.
Today we're further reinforcing our existing botnet defenses across our ad systems through a new feature that automates the filtering of traffic from three of the top ad fraud botnets, amongst those we are monitoring and defending against.
Ummm, three of the top. There's a drop in the bucket, dear Liza...
Together these three botnets are comprised of over 500,000 infected user machines.
Not exactly the world's largest botnets. There's a tiny drop in the bucket, dear Liza...
Yes, it is a good thing that they are fighting the good fight. Because they'd be out of business in a year if they didn't.
Yes, they are severely on the defensive and being hammered, though not - yet - being rolled up.
Yes, they are losing so badly that core customers are testing other options in increasing numbers, which is behind the increased PR effort and touting of minor (as in pretty much ongoing day to day) success as some sort of significant breakthrough.
Part of the problem is that Google relies heavily on automation and neither AdWords advertisers nor AdSense publishers are properly vetted. That would cost greatly plus it would cut into the trash revenue streams that Google has always relied upon for a significant amount of revenue (running with a foot over the line has been in play since close to if not the beginning, i.e. gaming, pharma, 'impressions').
Another significant part is that most webdevs haven't a clue about blocking basic bots let alone stopping the advanced versions (or the third world high value manual click farms). Read the AdSense forum sometime and the sad tales of clawbacks. Yet, G is only identifying a fraction of the fraudulent clicks...
Note: just as Google Analytics is only identifying a fraction of the bot traffic hitting sites.
I have played (by which I mean conceived, deployed in test environment, never released active payload to wild; plus trolled the dark web for intelligence and inspiration; plus burned the candle at both ends over research papers...) in the botnet ad fraud arena. Partly for fun and partly to get an idea what to look for as part of my bot defences. Some of the stuff is virtually impossible to detect - even knowing what is coming - as it actually mirrors browser users.
It's a nasty online world out there. And not about to get nicer anytime soon.