Since you have a security team, I think it's up to them to investigate what is normal or not. And to verify if your site has not been compromised.

Are you seeing Google ads when you visit your site yourself? and if you look at the files loaded ?

AdSense serves ads from many third party networks. In your AdSense account you can choose to disable third party networks from your account.

"It does seem that the issue is coming directly from Google itself.
On the screenshots you shared you see that the code is inside the container that belongs to the ad, this means that that code is being returned by Google.

Here's a quick example of one of the google ad iframe:
view-source:https://googleads.g.doubleclick.net/pagead/ads?<snipped acct specifics>&format=728x90&output=html&h=90&slotname=4074387263&adk=4047856320&adf=3481317426&w=728&lmt=1493465989&flash=0&url=http%3A%2F%2F<snipped ad specifics>%2F&wgl=1&dt=1493465989475&bpp=11&bdt=1190&fdt=13&idt=29&shv=r20170424&cbv=r20170110&saldr=aa&correlator=1044709054069&frm=20&ga_vid=228145772.1493465868&ga_sid=1493465990&ga_hid=1197489503&ga_fc=0&pv=2&iag=3&icsg=2&nhd=1&dssz=2&mdo=0&mso=0&u_tz=60&u_his=3&u_java=0&u_h=1080&u_w=1920&u_ah=1050&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=6&adx=5&ady=7&biw=497&bih=984&eid=575144605%2C828064251%2C389613000&oid=3&rx=0&eae=0&fc=16&brdim=-1920%2C274%2C-1920%2C274%2C1920%2C274%2C1920%2C1050%2C497%2C984&vis=1&rsz=%7C%7CeE%7C&abl=CS&ppjl=f&pfx=0&fu=1040&bc=1&ifi=1&xpc=JEN183Gp4P&p=<snipped ad specifics>&dtd=50

You may see a different result by the time you check it but sometimes it returns this:
this.tagsrc = '<ins class=\'dcmads\' style=\'display:inline-block;width:728px;height:90px\'\n data-dcm-placement=\'N1068.142389HX/B11029770.149436293\'\n data-dcm-rendering-mode=\'scr'+'ipt\'\n data-dcm-https-only\n data-dcm-resettable-device-id=\'\'\n data-dcm-app-id=\'\'\n data-dcm-click-tracker=\'\'>\n <scr'+'ipt src=\'https://www.googletagservices.com/dcm/dcmads.js\'></scr'+'ipt>\n</ins>';
this.altsrc = '\<scr' + 'ipt src=\"https://secure.adnxs.com/psa?format=js\&size=728x90\"\>\</scr' + 'ipt\>';

The secure.adnxs.com ad network is the probably biggest malware distributor, this is just one example of bad stuff is coming from Google. My recommendation is that you first disable all the ads within adsense and then check your website see if you see the code, and then enable one by one while you continue to check until you find the one causing it and keep it disabled or even report to Google.

I will continue to investigate nonetheless in the meantime."

[edited by: not2easy at 9:06 pm (utc) on Apr 29, 2017]
[edit reason] <snipped acct & ad specifics> [/edit]

Adnxs (AppNexus): What is it and what does it do? [theguardian.com]

It's not really fair to call it a "malware distributor", and "disable all the ads" seems like poor advice if you depend on that income. Why are you looking at the ads for this "big drop in performance"? How are you measuring performance? Are you sure the ads are the problem? not2easy answered your question about Google "serving" ads from other domains; a fact that doesn't need any investigating and is not really a problem (or a security issue) for most publishers and shouldn't affect your site's performance much if the ads are loaded asynchronously.

Hi,

basically because we found a hybrid ads script. The scrips is wrapping itself around our ads and stealing the ad revenue.

On our end the clicks get counted as click spam by google so we have twice the problem - stolen revenue + we look like spammers. Its very hard to find the script though in the code

Have you tried taking a look at the live headers as the page loads? That will usually show you where and what is loading the script. In FF browser you can use the Live HTTP Headers Extension and examine all requests and server responses. Handy for pinpointing problems.

In this screenshot <removed site specifics> , the original Google iframe is modified in at least 2 places:

1. This code to define the HybridAds [justpaste.it...]
2. This code to wrap over the original Google Ads banner in the HybridAds <removed site specifics>

Clicking on the google banner will open the Ads just fine, though Google reports that it's considered as spam traffic.

[edited by: not2easy at 6:46 am (utc) on Apr 30, 2017]
[edit reason] See Tos and Charter [/edit]

If you have found a script in your source code, you can edit it out and replace it with your own AdSense code. If you cannot see the script in your page source code, then it is being added during the page loads. If it is being added during the page loads, you can view the live headers to see what and where it is being added.

If the additional code is contained within the ads that AdSense is serving on your site, you can click the small i in the circle or the x in the corner next to that to give feedback about the ad.

Isn't that simply this script? [googleadservices.com...] (conversion tracking for AdWords)

Google reports that it's considered as spam traffic

How does Google report this to you?

Hi,

Im in touch with google and they confirmed its modified script that can actually get me banned ." Thanks for your patience while I spoke with our Tech Specialists. They have confirmed that the ad code is definitely modified.
The modification of the ad code is against our policies and may lead to action taken. "

They showed me their internal reports and I have up to 60% click spam. Which we never had before at same ad design..

Thanks

Okay, so you need to figure out how the ad code is being manipulated (if it's an external source and not an error in your own code). Usually the CMS is compromised somehow (in case of WordPress it's usually a plug-in) and additional Javascript is added to the page.

What I don't understand is how Google can be registering clicks as "spam" for your account when you say the "scrip[t] is wrapping itself around [your] ads and stealing the ad revenue". I don't think you can steal revenue without the clicks.

Hi,

Yes, were on it trying to find the source, its very well hidden.

Thats just a working theory. Basically the visitor clicks my ads, the landing page is called but they get redirected to other non google networks. Do you know what I mean?

Thanks Chris

Not really, but let us know how it works out :-)