@janvitos do you have the "X-Frames" header set to "none" or "sameorigin"?

@NickMNS, not as we speak. Do you believe it would be a good addition to prevent clickjacking?

So I have now added the x-frame-options: SAMEORIGIN header.

Do you believe it would be a good addition to prevent clickjacking?

Yes

But the main reason for asking is to determine whether or not clickbombing that quite a few people have now reported, may all be related to clickjacking? This, as opposed to a bot attack, where one or several bots are continuously clicking on ads.

I just realized that I made a mistake in my post at the top of this page. It is not "none" or "sameorigin" it is "deny" or "sameorigin"

I just set the X-Frame header on my server and discovered that if you are using Cloudflare you will need to purge your cache for the change to take immediate effect.

Thanks for the info @NickMNS. I have implemented the header and it is now showing properly.

I guess now it is time to wait and see if anything changes over the next few days.

I will keep a close eye on my stats and report back.

I finally managed to solve this issue, my paid premium theme from theme forest which is one of the most widely used was the one causing the vulnerability allowing the clickjacking to take place. The moment I disabled it the clicking stopped. I don't know why I never tried it earlier im pissed off bought another theme and trying to get my site to look semi decent... thanks for all the help guys, this is #*$!.

The theme used to pull js from the cloud, this is where the vulnerability lies i believe, executing scripts on the fly.

Thanks for reporting back. It shows that configuring a site from components created by other parties may add hidden vulnerabilities without you knowing it.

Hey friedclyde, I've also been experiencing something similar to click jacking for the past few days. I wasn't able to find a solution. I'm not using any theme from Theme Forest, but maybe there's a plugin or something else in my WordPress installation that is causing the issue.

I would be really curious to know more details on how you pinpointed the problem and found the solution.

Thanks!

Welcome Lam, something strange i activated another plugin and the clicks started coming in again. So i'm quite lost now, what do you use to display ads Janvitos?

I use a combination of WordPress and AdInserter. Very simple setup, not many plugins.

I've been hit by the Confirmed Click penalty since Monday, and although it briefly has been removed a few times, it always immediately comes back because of the incredibly high CTR.

Looking at my AdSense stats in Google Analytics under Behavior -> Publisher -> Publisher Pages, I see that on March 1st 2021, all articles started showing a CTR of 20%, some reaching 50%+ and beyond.

Here's the weird part: when choosing a Secondary dimension of Users -> Browser, I see that Android Webview (Facebook for Android) is the only affected Browser. Safari (in-app) (Facebook for iOS) is NOT affected at all. Chrome is a bit higher than usual, but not nearly as crazy as Android Webview.

So I'm thinking it could be related to a bug in Facebook's Android Webview that is NOT rendering pages properly (like not showing pictures and only showing ads) on some articles, but this is just pure speculation as I've NOT been able to reproduce any kind of issues in Facebook's Android Webview.

Otherwise, I believe it could also be the work of Facebook bots that are exploiting a bug in Facebook's Android Webview that is not present in Facebook for iOS. It seems like I've had articles in the past (weeks before March 1st) that seemed to experience a high CTR. But the problem was often related to a single article and was clearly not as generalized as it is now.

I will be continuing my investigation.

I would be curious to know about your own Google Analytics AdSense stats. Maybe you are also seeing a pattern?

Thanks.

Here's the CTR for two different URLs, both on Android Webview and Safari (in-app).

/enseignante-maternelle-demissionne-raisons-jessica-gentry/
Android Webview
5,072 Impressions
1,819 Pageviews
2,172 Clicks
42.82% CTR

/enseignante-maternelle-demissionne-raisons-jessica-gentry/
Safari (in-app)
3,254 Impressions
1,136 Pageviews
128 Clicks
3.93% CTR

/echecs-droles-agents-assistance-technique/
Android Webview
2,297 Impressions
548 Pageviews
464 Clicks
20.20% CTR

/echecs-droles-agents-assistance-technique/
Safari (in-app)
1,574 Impressions
352 Pageviews
27 Clicks
1.72% CTR

As you can see, CTR on Safari is pretty normal (might seem a bit high for some, but in reality, these stats are taken from Google Analytics and also account for accidental clicks. When looking at the stats directly in AdSense, you only see the registered clicks WITHOUT the accidental clicks, so often this number is lower).

But if you look at the CTR on Android Webview, it is over 40% on one URL. And since that URL has 1,819 Pageviews and 2,172 Clicks, it means more people actually clicked on ads than they were shown pages, which makes no sense at all.

So after countless hours of analyzing everything, I figured it's highly unlikely the clicks are generated by a click bomb, bots or click jacking. But I did find something quite intriguing.

After looking thoroughly in Google Analytics, I found out that the high CTR really started around November 2020. But more recently, the CTR exploded into 50%+ territory, which resulted in the AdSense Confirmed Click penalty.

I also analyzed my server logs and the CloudFlare logs, and I just couldn't find anything that matched a pattern. For instance, there are no IP addresses that visit more pages than others (other than crawlers). There is really nothing fishy or problematic with my traffic.

I also realized that other platforms than Android Webview are indeed affected, like Chrome, Safari (in-app) and Samsung Internet. But strangely enough, Android Webview and Safari (in-app) are never affected at the same time.

So all this led me to two new theories:

1. There could be ads appearing on my website that are auto clicking themselves. I’ve seen those many times before, but I haven’t heard any users complaining about them in quite a long time. Normally, when users encounter these ads, they complain about them in the Facebook comments and I take action. So I guess the issue with those ads has probably been fixed by Google by now. I imagine it's unlikely this is the cause of the high CTR.

2. There could be ads that are tricking the user into clicking them.

So this led me to the AdSense Blocking Controls where you can review all the ads appearing on your site. It’s a tedious process, but this seemed like my last resort. So I started looking at the ads, and low and behold, I found tons of ads with a play button in the middle that totally looked like YouTube embedded players ([imgur.com ]). But instead of playing a video, the ads led to cheap websites that tried selling streaming subscriptions to users. I litterally found thousands of those ads with thousands of impressions a day linking to dozens of different URLs.

Since I have two or three ad units inside the content of most of my articles, this means people could easily be mistaking these ads for a real video player that might show a video related to the article. But no. The readers are instead tricked into clicking the button and most probably immediately (and hopefully) press the back button to get back to their reading. This probably registers an invalid click with AdSense, and with thousands of these clicks, the algorithm has no choice but to enforce the Confirmed Click penalty.

So after scrolling countless pages of ads and noting each URL related to the ads, I ended up blocking them all under Blocking controls -> mywebsite.com -> Manage Advertiser URLs. Imho, this is an easier way of blocking multiple ads rather than blocking individual ads, since you can block a single URL linked to many different ads. It also prevents new ads pointing to those blocked URLs from being shown on your site.

I have to admit I was incredibly shocked that these ads were allowed by Google. If these prove to be the culprit, it means that I will have lost over a week worth of AdSense revenue because of Google’s inability to enforce their own Ad Policies properly. Isn’t it a bit ironic?

So that’s that. I am hoping for the best. If it doesn’t work, I might just quit on AdSense.

Janvitos, my issue cropped in from november as well .... but i lost 3 months .... so this is what it looks like to me..... its related to a js used in some themes perhaps the vue js [portswigger.net...]
the vulnerability existed for a while and my theme has not updated since then twitter.com/starlabs_sg/status/1355150145449390082

so this is the funniest part, with genesis framework + theme the clicks stopped so i assumed it was related to my original theme + i then bought another hightly rated theme which was not on themeforest and the clicks started again.... so i assume there's a vulnerability in one of the common .js they are using..... now im doing my best to make genesis look decent and my rpm was more than $ 5 yesterday after ages.

i can finally begin to work on content again.

now about your the ads that you have,they do look spammy, but they cannot have stats like 1 impression and 10 clicks if you have something like that .... you know someone or thing is messing with you

portswigger.net Vue to a kill: XSS vulnerability in Vue.js revealed Flaw in popular developer tool only addressed after researchers spill the beans

Thanks for the update friedclyde.

Strange that your high CTR also started in November. We are on to something.

And you are right for the 10 clicks vs 1 impression, that's impossible. I also have that on my ads.

So I guess I will start looking at JS files, but I don't have Vue.js. I really only have jQuery and my own website's JS, which is really light.

So I discovered something else. It seems like the issue is only affecting Android, but NOT iOS. See the stats below.

/chiens-droles-mendient-nourriture/
Apple Mobile Device
33,609 Impressions
8,251 Pageviews
724 Clicks
2.15% CTR

/chiens-droles-mendient-nourriture/
SamsungMobile Device
44,735 Impressions
13,243 Pageviews
15,545 Clicks
34.75% CTR

/chiens-droles-mendient-nourriture/
Huawei Mobile Device
14,915 Impressions
4,657 Pageviews
6,473 Clicks
43.40% CTR

/chiens-droles-mendient-nourriture/
Xiaomi Mobile Device
7,180 Impressions
2,003 Pageviews
2,121 Clicks
29.54% CTR

As you can see, Apple has a CTR of 2.15%, and all other Android devices have a CTR over 20%.

Not sure what this means, but if it's a vulnerability, it means it only affects Android and NOT iOS.

So I came to the conclusion that there is most probably a bug in AdSense, Android or even in Google's own algorithms that is registering false clicks. In my case, it simply cannot be something or someone that triggers these clicks. For some articles, I have a CTR of over 120%, which is impossible. And all the clicks are coming from legitimate User Agents.

What if Google broke something while doing an update to their code that registers a click on an ad when there is a pageview? I did notice a correlation between Clicks and Pageviews. It seems the numbers are very close for all URLs. And the fact that the problem only affects Android and NOT iOS makes me think there are high chances this is a bug and not an attack.

This might sound crazy, but after you see all the "Account Disabled for Invalid Click Activity" tickets in the AdSense Community, you realize it might be a much more generalized problem than we think.

Also, the problem with Google is it's almost impossible to report these things to a human. I already opened 2 support tickets and sent 2 invalid click reports, and I only got automated messages. for the tickets, nothing for the invalid click reports.

I'm going to try one more thing. I'll try loading the ads through Ad Manager / GPT instead of directly loading them with the normal AdSense code.

Janvitos let me know if what you say works...... ill do the same because, it looks like the themes don't make a difference in the long run.... i think im gonna test for a few days anything before posting this sucks

So I have put my last plan on hold and tried instead to switch to another Ad Network which accepted my website on Friday.

I implemented their ads yesterday, and what do you know, I still had the Confirmed Click penalty!

I guess they are serving AdSense / Ad Exchange ads and my domain is probably triggering the penalty.

So we know this penalty is not an account level penalty, it is probably for an entire domain.

And here's something interesting. After removing all AdSense ads, I checked Google Analytics and noticed the clicks and impressions completely stopped, so we know it's not a problem related to a bot or someone stealing the ad links and clicking on them repeatedly.

I am now 95% sure the problem is either a conflict between a JavaScript file and AdSense, or a bug related to Android and AdSense.

Today, I am reverting back to GPT and AdSense to see if the CTR improves. If it does, I guess it's simply a question of leaving the ads in place until the algo stops detecting invalid clicks.

I just had something popup to mind: what if for some reason, every time a user taps the screen (can happen when scrolling for example), there is something that triggers a click on all anchors of the page? Maybe there was an update on how Android registers taps (or something like that) and now every time a user taps somewhere, it also clicks all ads on the page. I know this is far fetched, but right now, I am desperate to try to find a solution.

Unfortunately, after using Ad Manager instead of AdSense, I realized the stats are not recorded in Google Analytics. So I cannot verify if the CTR is dropping or not changing.

The Confirmed Click penalty is still in effect and GPT has been enabled for a few hours, so I doubt it's going to change anything.

I might be on to something (again). But this time, it's more tangible.

I was able to identify a high influx of suspicious traffic using ClouFlare Analytics. By high influx, I mean 150K bogus visitors in a single day with Unknown Browsers and Operating Systems and other irregularities.

Fortunately, I was able to block the traffic using the CloudFlare Firewall (WAF). It seems like this traffic could be responsible for the clicks. 96% of it is coming from bots.

Tomorrow, I will look at my Google Analytics AdSense stats and see if there's any improvement.

For anyone interested, here's my post on CloudFlare: [community.cloudflare.com ]

So the bogus traffic was not the issue of the invalid clicks.

I now believe there is a bug in how AdSense reports clicks from video ads.

More on that later...

After sending a complete report to AdSense Support, an agent told me he has forwarded my request to Google Product Specialists, but I will unfortunately NOT receive any updates whatsoever (great).

For now, I setup a piece of jQuery code that detects if the user is coming from Android or other platforms. If he's on Android, I don't show any ads. I only show ads for all other platforms.

This way, the Confirmed Click penalty should disappear soon and I should at least be getting half of my revenue back while Google gets enough complaints and decides to fix this mess.

By the way, I'm 99% sure it's a bug in Facebook Android Webview. It *might* also be affecting Chrome and AMP pages, but I couldn't confirm that because I don't have enough AMP traffic.

For people curious, here's the piece of jQuery code I'm using:

var userAgent = navigator.userAgent || navigator.vendor || window.opera;
if (/android/i.test(userAgent)) {
 return;
} else {
 $('head').append('<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>');
}

You can modify the script to fit your needs.

Cheers.

Hi,

I think google analytics is showing 3-4 times more CTR than adsense (sometime even 12 time). But adsense has different CTR. To see that see the report in analytics->behaviour->publisher->overview. See the number of clicks and see the no of clicks in adsense and compare them.

If you are using Cloudflare, .....

CL's custom headers can be useful if for example you wanted to flag users from certain counties but if you are going to block them might as well do it using CL firewall. Using their control panel or API you can block practically anything (Country, ASN's, user agent etc.) before it gets to origin server. Note I'm not sure what is available with the free plan or what limitations there are.

One thing to be aware of with CL is it only protects the domain. If someone is determined they can bypass Cloudflare using custom DNS if they can determine the origin IP. You need to protect exposure of the origin IP. That exposure can occur though many sources like email, scripts that download remote files, or simply DNS history if the IP didn't change since implementing CL.. In my case someone ran a bot across my hosts IP ranges looking for unique files on my site until they hit pay dirt.

Ideally anything that can expose origin IP has been removed such as using different IP for email. Use the servers firewall to block ports 80 and 443 for all traffic accept CL IP's ;)

Hiii have u find solution for that?
When i have this problem in the past, i have just desactivate cookies propreté in adsense parameter ans the clicks stoped
So try that

Hi Soprano,

Yes, I am still having the same issue.

What do you mean by "desactivate cookies propreté in adsense parameter"? Are you talking about disabling First-party cookies? Or disabling User-based ads, Additional ad technology vendors and First-party cookies? Or something else?

I would be incredibly curious to know what you did exactly and how that fixed the issue.

Thanks!