The invalid clics came from my domain
When in delete all ads, the invalid clics continue to come from my domaine

You are not alone, others have reported similar situations. Here is a recent thread on this exact topic:
[webmasterworld.com...]

Hopefully some of the posts there can help.

Had the exact same issue. The invalid clicks finally stopped today after 10 days of removing the page. Contact Adsense support to ensure they're aware of your case.

@Nick_MNS Yes i already configuré cloudflare like he said on thé other topic
Now i sait for that adsense verify my website again becose i delete it from adsense to stop bot clicker

@Das_bends adsense support doesnt anwser when i contact them with adsense invalid click form

I meant regular Adsense support, not invalid clicks form.

@NickMNS i do all that they said on last similar topic using cloudflare but it doesnt work.
I continue to see invalid clicks from france, spain and usa

Now i contact regular Adsense support like @das_bends said

i also remove my website from website section on adsense before find solution, else invalid clicks would continue.

Hi
I finally résolve thé problem
I create a firewall roule like in the other post
And put some codes againts xss attack in the file .htaccess

After they went away, they appeared again for me. Again clicks on an ad unit that isn’t used anymore and a page that is blocked at the cloudflare kevel. Have you permanently resolved the issue?

I have the same problem.

Getting tons of clicks from United States, France and Spain on old ads that have been archived / removed for weeks.

This has given me a Confirmed Click penalty for over a month now, with revenue loss of over 90%.

Anyone here figured out the issue? How did you fix it?

Thanks!

@janvitos
I really dont find a permanantly solution
this is really big problem
I live with this problem since december
All that i understood is that someone do a copy of my website, and run a click program on this copy.
But i really dont understand why these clicks are linked with my DNS
Now i stopped automatics clicks from these countries, But the hacker continue to do manual clicks only from FRANCE, until 20 or 30 cliks per days.
We really have to find solution

@janvitos you can stop these automatics clicks, you have to do that
1. go on your adsense interface
2. click on 'parameter of blockage' <it is at left of screen just under report in adsense>
3. click on all websites
4. click on dispay ads < in french its diffusion d'annonces>
5. you will see 'cookies owner' <in french its cookie propriétaire>
6. click to UNAUTORIZE>

Does automatics clicks stop?

Hi Soprano,

Thanks for the advice.

I also speak French by the way, but we'll keep the discussion in English here for the users of this forum :) We can always connect outside of this website if you want. Check your inbox, I already sent you a message.

I did exactly as you said (I read your other message yesterday in another post), and the clicks did drop a lot, but they didn't completely stop. I don't receive clicks from Spain or the United States anymore, but I am still getting 20-30 invalid clicks from France (I also run a French website). Those clicks are made on ad units that have been archived and removed from my website for many weeks.

Unfortunately, I still have the Confirmed Click penalty. Is this the same penalty that you have? (a popup that says "Visit website" with "Yes" and "No" buttons).

If you want my opinion, I don't think this is malicious in nature. I believe this is an AdSense bug that needs to be fixed by their engineers, but right now, Google is refusing to do anything about it.

@Soprano are you using Google Analytics with your Adsense account linked. Do you have access to the "Publisher Pages" report? Janvitos has determined that his problem is mostly related to the Android Webview browser. To see the stats for the webview browser in GA do the following:

Publisher => Publisher pages => select secondary dimension of user/browser. Then set an advanced filter for "browser" with an exact match to "Android Webview". Then sort the table by CTR in decreasing order.

All that i understood is that someone do a copy of my website, and run a click program on this copy.
But i really dont understand why these clicks are linked with my DNS
Now i stopped automatics clicks from these countries, But the hacker continue to do manual clicks only from FRANCE, until 20 or 30 cliks per days.

This sounds like clickjacking, where an attacker loads your webpage in an iframe on a different website and then gets users to click the ads. The users would appear to be coming from normal users with diverse IP addresses making them nearly impossible to detect or block. But it easy to stop, you simply prevent sites from displaying your website in an iframe. See the link below for details:
[cheatsheetseries.owasp.org...]

Note I have implemented this for my site at the beginning of the month and the strange ad clicks in Android-Webview have appeared to stop. But, I was never affected at the scale that you or Janvitos were, I had no penalties and minimal clawbacks. I believe that Janvitos implemented this but it did not fix the problem.

Just an added note, I am also French speaking so if you have questions you can also send a direct message.

Do you have access to the "Publisher Pages" report? Janvitos has determined that his problem is mostly related to the Android Webview browser

After digging some more, I realized that the clicks can happen on any mobile browser, like Android Webview, Safari (In-App), Samsung Internet and even Chrome.

I believe that Janvitos implemented this but it did not fix the problem

That's right. It didn't fix the problem and I'm still getting those false clicks on archived ads even after they have been completely removed from my website for weeks. Newer ads that I've implemented on my website don't get any false clicks.

After reading Soprano's description of his issue, it seems he has EXACTLY the same problem as me. He's getting false clicks from the same countries, France, Unites States and Spain.

Have a look at this screenshot: [imgur.com ]

The ads in the red box are the ads that have been archived and removed for weeks. You can see they are still receiving clicks, but MUCH less clicks since I've disabled First-party cookies under AdSense -> Blocking controls -> All sites -> Manage Ad serving.

I am also French speaking

C'est bien de savoir qu'il y a d'autres personnes francophones ici :)

@Janvitod its not an adsense bug, its hacker's attack.
Because when i desactivate cookies, the invalid clicks was stoped, but in the same day i begin to have invalid clicks on ads units wich are not archived from Algeria and when i block Algeria country using cloudflare, i immediately begin received invalid clicks from morocco.but all these clicks are on not archived ads unit.

@NickMNS I already disable iFrame using htaccess by using header DENY.

@NickMNS for me too, the invalid clicks Comes all from mobile device, and only one ad unit is concerned.

i really think that my website is copied Somewhere.

I already disable iFrame using htaccess by using header DENY.

I assume that you mean

X-Frame-Options: DENY

This is good but not sufficient. While it works for all modern browsers, including Android Webview you may still need to implement the frame busting scripts. I suspect that the issue is with Android Webview. This is not a really browser, it is a method that allows an app developer to show a version (possibly reduced) of a web page within a native app without exiting the app and using a real browser. For example Facebook, uses this to ensure that when a user clicks on links within Facebook, that the user cannot leave the Facebook ecosystem. They are shown the content but are limited in what they can do, and FB can also track all that they do.

So the problem is that within these apps your page is not shown as an Iframe but likely as a reduced version of itself. So preventing your site from being display in an I frame will have no effect. I believe that implementing a frame-busting script will prevent the pages from being shown in Android Webview, but I have not implemented this myself nor tested it. But it may be worth a try. I believe that @frideclyde did implement these scripts but I'm not sure of the final outcome.

Here is are the details for the frame-busting script from the Owasp page linked above:
[cheatsheetseries.owasp.org...]

One final note:
The thing that still puzzles me is how Janvitos continues to get clicks after the ads have been removed. The only plausible explanation is that old cached pages are being used, where and how the pages are cached is beyond me. Just be aware that adding the scripts to your pages will prevent future attacks, but will do nothing to prevent clicks on previously cached pages.

The thing that still puzzles me is how Janvitos continues to get clicks after the ads have been removed

It puzzles me as well. Because the new ads don't receive invalid clicks at all, only the old ones.

Unfortunately, I didn't find a way to get AdSense to list all urls with URL Channels, so I cannot really know which URLs are receiving those clicks. And Google Analytics Report is totally different from the AdSense Report, so it is really hard to make anything out of it.

Traffic funneled through a proxy server will show legitimate AdSense ads. With a proxy server it doesn't matter which HTTP headers you add afterwards to prevent XSS or iframe busting, because the browser on the end-user site thinks it receives genuine site pages without the headers, as long as they are pulled from the proxy cache, not from the original site.

Some mobile operators have large proxies for IPv6/IPv4 or IPv4/IPv4 tunneling because they effectively ran out of public IPv4 addresses for their mobile users. The mobile devices connect through private IPv4 addresses or through IPv6 and are then connected with the outer-world through the proxy. I am not sure about the countries from which @janvitos sees clicks, but I wound't be surprised if some large caching ISP-proxy for mobile users is the culprit.

Is there any way to get hints about this from logs or analytics. GA provides isp data if I'm not mistaken.

Hey @lammert, that sounds like a really interesting and plausible theory indeed, thanks for your insight.

But there's still one thing that eludes me: even if some traffic was going through a proxy and was served cached pages, why would there be way more clicks than impressions / page views? What would cause this?

Because if AdSense ads were being served on cached pages from proxies, you would think AdSense reporting code would be properly executed as well, and impressions / page views should be much higher than what they are at now. Most of these ads are showing 30-50 clicks in AdSense Reports, but only 1-5 impressions and 0 page view.

GA provides isp data if I'm not mistaken

Unfortunately, since the beginning of 2020, ISP data has been deprecated in GA: [seerinteractive.com ]

Found something mildly interesting.

Have a look at this screenshot: [imgur.com ]

This report shows two of the archived ads that have been getting lots of invalid clicks along with the served creatives.

As you can see, only ads served with a Text creative seem to be affected. Unfortunately, at the end of the day, clicks almost disappear from my reports since Google removes all invalid clicks, so we don't have a good sample to analyze. So I will look at this report again tomorrow when clicks start flowing in.

Edit: After getting more traffic and clicks, there were invalid clicks on other types of creatives as well, so forget what I said.

Blocking First-party cookies has drastically reduced the number of invalid clicks on my ads, and now the Confirmed Click penalty has been lifted since around midnight (it is now 7:30 AM here). This is the first time in over a month that the Confirmed Click penalty has been lifted, so it is very promising.

To block First-party cookies, you need to go here: AdSense -> Blocking controls -> Content -> All sites -> Ad serving -> Manage Ad serving -> First-party cookies.

First party cookies are used for ads served by Google which have a frequency cap. By disabling them, the ad inventory for your site will be less crowded and CPC may decrease, but the lifting of the penalty will without doubt increase the RPM.

Having advertisements stuck somewhere in a cache halfway Google and the end-user still makes sense in this scenario. If a frequency-capped advertisement is cached, there will be impressions on the user side, but Google won't count them in their system because the frequency-cap doesn't allow them to be counted. Hence the zero views but multiple clicks in your reporting.

I would consider this a bug on the Google side, because as I mentioned a few posts before, proxies between end-users and the internet will become the norm as long as we are not primarily using IPv6 to get rid of the IP address shortage.

A related question, do you accept IPv6 traffic on your site? Especially from mobile I see a huge percentage of IPv6 connections on my sites and this traffic normally bypasses ISP level proxies. If my assumption is correct, this double click penalty should be primary visible on sites only serving IPv4 with in a market with a large percentage IPv6 end-users.

When you deactivate proprietary cookies, all invalid clicks stop, except those coming from France
So I think there is something special about the clicks coming from this country.
In addition, the clicks coming from France seem to be manual clicks, because in my case, it only happens during working hours, like 11am to 11pm or midnight maximum, late at night there is no invalid click.
I will test the deactivation of androit webview and I will keep you informed of the result

As you can see from this screenshot ([imgur.com ]), clicks have now completely stopped on the archived ads (see stats circled in red).

As for the ads not circled in red, they are the new ads that have been added recently. You can see that the CTR has dramatically increased from 0.05% to 0.30%+ since the Confirmed Click penalty was lifted. The RPM has also increased a lot.

lifting of the penalty will without doubt increase the RPM

Lifting the RPM is indeed much more important than the loss in revenue (if there is any) from disabling First party cookies.

If a frequency-capped advertisement is cached, there will be impressions on the user side, but Google won't count them in their system

That makes total sense.

I would consider this a bug on the Google side

This is what I've been thinking for a while now. It is far too widespread to be an attack, unless it would be caused by malicious bots. But it doesn't appear to be caused by bots, because even after blocking all bots, the clicks continued. I'm 99% sure it's an AdSense bug.

do you accept IPv6 traffic on your site?

Definitely. I have lots of IPv4 and IPv6 traffic on my website.

[edited by: janvitos at 2:55 pm (utc) on Apr 1, 2021]

Hey Soprano,

When you deactivate proprietary cookies, all invalid clicks stop, except those coming from France

All clicks from all countries stopped for me today, even France.

Another thing I did yesterday was temporarily block access to my website's search path (/recherche/) and also pages path (/page/) using Cloudflare Firewall Rules. You should definitely look in your server logs / firewall logs if you have such requests.

I created simple Allow Cloudflare Firewall Rules to detect those visitors. I then converted those Allow rules to Block rules. Of course, this means people can't search my website or visit pages, but regular users never do anyways. And this lets good bots visit those pages. You should replace the paths with the proper ones from your website.

(http.request.uri.path contains "/page/" and not cf.client.bot)

(http.request.uri.path contains "/recherche/" and not cf.client.bot)

I was noticing a lot of IPs were searching for the same keywords over and over again, and visiting lots of pages like /sujet/insolite/page/2/ and /recherche/horror+movies/page/4/. Most of this traffic was coming from real users mostly from France, but also from other countries around the world. I tried to issue a JS Challenge, but they would solve them. And I've NEVER had so many people searching on my website for all of these similar keywords and visiting so many pages. Most of my traffic comes from Facebook and is from quick visitors that view one or two articles and leave. It seems like they might've been coming from a click farm? I'm not sure if it was related to the Invalid Clicks, but now I have 0 clicks on my archived ads and the Confirmed Click penalty is gone.

Here's an update.

I tried allowing First-party cookies today, and tons of invalid clicks from France and the United States started flooding my archived ad units again, so I've blocked them once and for all. Fortunately, for the brief moment I allowed First-party cookies, the penalty hasn't come back.

In my case, First-party cookies are definitely responsible for those invalid clicks and the Confirmed Click penalty. They could also be responsible for the invalid traffic penalty. Anyone who has an invalid clicks / invalid traffic penalty should try blocking First-party cookies and see if it solves their issues. I will be sending a report to Google about this.

Another important update, particularly for @Soprano.

After blocking First-party cookies again, all invalid clicks on archived ad units completely stopped. The Confirmed Click penalty remains lifted. RPM has jumped from $0.50 to $2.50.

So I’ve decided to make another test and disabled my firewall rule that blocks all paths containing /page/. Again, some clicks started appearing from France and United States on archived ad units, but clearly not as many as when I allowed First-party cookies.

I believe the bots responsible for the clicks navigate the website by following the page structure, like many other bots. And then they access different articles and click on ads. Blocking access to all page paths seems to block the bots’ ability to crawl a website and click ads.

My next step will be to analyze the ASNs, IPs and User Agents that access page paths and try to block those instead. Because while the page paths are disabled, people can’t really navigate the different sections of my website.

Cheers.

Thanks for your thorough investigation and updating us about your findings. Good to see that you are making progress in both restoring the earnings of the site, and narrowing down to the possible causes of the problem.

Thanks @lammert.

I was digging some more and found something that might be of interest.

After executing a Lighthouse run on my website in Chrome, I noticed an error message that I hadn't noticed before. Since it seems to be related to AdSense cookies, I thought I might share it here so some of you geniuses can provide insight regarding the issue.

Here's the error that was logged:

Issues were logged in the Issues panel in Chrome Devtools

SameSite cookie

/adsid/integrator.js?domain=www.example.com(adservice.google.com)
/adsid/integrator.js?domain=www.example.com(adservice.google.com.mx)
…measurement/l?ebcid=(alphanumeric identifier string)…(www.google.com)

So as recommended, I went to the Issues panel, and this is what I found:

Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:

Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests.

13 cookies
NameDomain & Path
SID.google.com.mx/
HSID.google.com.mx/
SSID.google.com.mx/
APISID.google.com.mx/
SAPISID.google.com.mx/
SID.google.com/
HSID.google.com/
SSID.google.com/
APISID.google.com/
SAPISID.google.com/
SIDCC.google.com/
DVwww.google.com/
UULEwww.google.com/

3 requests
integrator.js?domain=www.example.com
integrator.js?domain=www.example.com
l?ebcid=(alphanumeric identifier string)…(more alphanumeric identifier string)

What I am understanding from this, it's that some AdSense cookies are being blocked by the browser because they don't have the proper SameSite=None and Secure keys set. Maybe the fact that these cookies are being blocked has an impact in how AdSense detects clicks on ads? And maybe blocking First-party cookies actually disables that mechanism and prevents AdSense from wrongfully detecting the clicks on the ads? If this is the case, it would again point to a bug in AdSense and it would be Google's job to fix those cookies and add the proper SameSite keys.

According to the Chromium project ([chromium.org ]), SameSite has truly begun being enforced in July 2020. So that's not too far from November 2020 when invalid clicks started to appear on ads shown on my website. The invalid clicks could also have been happening earlier, but Google might've only tightened / enforced their AdSense invalid clicks / invalid traffic policies recently.

What do you think?

[edited by: not2easy at 7:01 pm (utc) on Apr 2, 2021]
[edit reason] anonymized code [/edit]