A Pot of Fool’s Gold, the Anatomy of a Click Bomb

Early in the afternoon on April 19, we checked our dashboard to see how we performed over the weekend. Earlier that week, we had made a change to our system and I was eager to see the results.

eCPM were up nearly 5800% from the previous' week's, so either the golden goose had set up roost on our sites or something was amiss.

While it's possible the change to our system had struck gold, it quickly became apparent we weren't the only ones experiencing unusual AdSense behaviour “ we were, it turns out, in the middle of a click bomb.

WTF is a click bomb?

A click bomb is an attack against an ad network, like Google AdSense or Doubleclick Ad Exchange (AdX), which inflates the click-through rates artificially. It *could* be manual, such as someone at a computer repeatedly clicking on an ad, but more often than not, it's automated - lots of bots, lots of clicks.

Click bombs generating massive amounts of invalid clicks could result in accounts being suspended or banned, though Google-owned AdSense is known to be very good at recognizing invalid activity and automagically adjusts things for publishers (clawing back from publishers and crediting advertisers).

The April 19 attack was concentrated on Google's ad tags. It's not clear if this was a mistake by a scraper, someone trying to generate revenue or someone just trying to mess with Google but in all cases clicks are what get the job done. Invalid clicks are especially troublesome for Google because the majority of their demand is AdWords, Adwords are sold on a CPC basis (cost per click). The more clicks, the more revenue is generated for a publisher, the more an advertiser pays and if it's all BS the more Google looks bad. AdX were also a target, whether this was on purpose or just an artifact of the targeting of Adsense we can't tell.

Click bomb CTR

Spotting a click bomb can be challenging, but in this case it was obvious: According to our data, the attack started at 10 a.m. on the 19th, with the click-through rate jumping to 1.8% from less than 0.5% in the first hour. The click-through rate peaked at 5.19% at 5 a.m. on April 20 ” a 10-fold increase! Our AdX click-through rates were also affected, peaking at 8.24%.

Though it isn't uncommon for attacks to come from a number of different IP addresses, this particular one appeared to originate largely from the xlhost.com's IP address range as well as a few other networks. Most of the offending clicks originated from the U.S., though there was a large concentration of impressions coming from Nepal, India, the U.K. and Canada as well.

How to stop it once it's started?

We first did some investigation to see where clicks were coming from. AdSense reporting suggested the xlhost.com IP range was at least partly responsible. Interestingly ad impressions were not noticeably up ” only clicks ” so a small amount of traffic was generating a large amount of clicks, remember the graphs above only show average CTR (the CTR from the offending IPs would have been massively higher).

Another theory was presented: the attacker may have used a bot to scrape websites for Google ad tags and then impersonated the original sites, generating clicks without actually visiting the sites. This could explain anecdotal reports of ads continuing to be clicked after they had been removed from publisher web sites.

Click bomb - bad impressions

We weren't 100% sure if the attacker was clicking ads on real publisher sites, or if the clicks were on impersonated sites, but as a precaution we temporarily banned traffic from xmlhost.com across our network. Shortly afterwards the attack appeared to end, but it's unclear if this was entirely due to our bans, or whether Google solved the problem globally around the same time.

Google requests you fill out the Invalid Click Contact Form to tell them you don't know whether the traffic is legitimate. Unfortunately, there isn't much that can be done beyond this ” only Google sees the traffic clicking in great detail, and thus is the only one that can stop the attacks.

What happens after a click bomb?

Click bomb - ecpm

At the peak of the attack, we saw our eCPM rate jump by nearly 5800% from our average rates. As the click bomb started fading those numbers came back down to earth. Of course Google doesn't let you keep the proceeds of the bomb, your month end revenue under the payments section will just be lower than what your monthly report shows. Frustratingly Google doesn't break the invalid clicks out as a separate line item, so if your earnings don't line up for the month of April and you didn't notice the click bomb on April 19 and 20, check your traffic to see if there were any tell-tale spikes.

Another frustrating artifact from the click bomb is how it messes with the averages in your reporting because google only strips the amount out of what they pay you not out of the daily data.

In the long term, publishers don't have to worry too much, they can trust Google to detect and strip out the invalid clicks and we at Sortable plan to explore how other ad networks would handle similar attacks.

While click bombs are abuses of the current ad system, it's important to know this was a broad attack, and publishers affected by this particular attack don't have to worry about a long-term impact on their reputation.

While Sortable can not always protected you from a Click Bomb, we can help you avoid these types of headaches by managing your ad operations. Allowing you to focus on creating great content, and making you more money. Check out our ad optimization technology to learn more!