Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man Accused of Attempting to Extort Google

Posted by CmdrTaco on from the future-of-cybercrime dept.

sandalwood writes "A programmer has been arrested on charges of attempting to "threaten Google with a software program he devised that creates phony clicks on pop-up advertisements delivered by Google. Google pays Web site publishers companies a certain amount for legitimate hits on those ads, but Bradley created a method that generates false clicks that appeared to be real Internet traffic, which would have repeatedly defrauded Google... Bradley contacted Google in early March, informing company officials that he had created the program and wanted $100,000 to keep him from selling it to spammers, according to an affidavit by a U.S. Secret Service agent." A harbinger of organized crime to come? That's a real nice website you have here... a shame if anything were to happen to it..."

26 of 302 comments (clear)

  1. Or vice versa by Space+cowboy · · Score: 4, Interesting

    Want to really annoy your competition ? Do the same thing actually on a google search page - just make it "search" 1000 times for words that bring up your competitions 'adwords' box, then "click" the adwords link. Google then bills your competitor for the maximum (s)he specified per day/week/month and, bonus!, your competitor then drops down the rankings for which google Adword to display...

    Random words mixed in with the key ones, random delays between searches, random User-Agent, etc., etc. Seems like it would be easy to do, and hard to track...

    Simon.

    --
    Physicists get Hadrons!
    1. Re:Or vice versa by Anonymous Coward · · Score: 1, Interesting

      OK, somebody help me out here. Why is Google paying for hits on ads they deliver? Shouldn't the company be paying them? Isn't that how ads work? I display your ad and if someone clicks on it to get to your site, you pay me money for bringing them there? What am I missing here?

    2. Re:Or vice versa by psycho_tinman · · Score: 4, Interesting

      Well, I don't see how this person could offer up a tool for extortion without figuring out how to spoof IP addresses, anyway. Surely, it would raise an alert if most, if not ALL of your clickthroughs came from a single small set of IPs ? Also, one nitpick about the article, since when does Google offer popup advertising ?

      I'm quite certain plenty of programmers know how to fake clickthroughs, or they could sit down and figure it out. Spoofing IP addresses, on the other hand, would be slightly more difficult.. and there are only so many open proxies and so on.

      On a slightly more depressing note, this sounds like a perfect scheme for all those zombie machines that are being spawned out there (with email worms). Instead of doing a Distributed DOS or sending out spam (which are their current uses, and can be easily traced back), if they were used to randomly send out a few million clicks, or to host a mini link farm for Googlebot's eyes only.... the possibilities for spamming become endless. Scary thought.

    3. Re:Or vice versa by walter_kovacs · · Score: 5, Interesting

      Actually no, click fraud is a real problem with Google (and all other pay per click engines). There have been many times when my Adwords traffic has spiked, sales have plummeted and conversions gone through the floor, and I am 99% sure that it is click fraud - the logs are just FULL of proxies, and Google seems helpless to do anything about it, but still happily collects the money.

    4. Re:Or vice versa by AndroidCat · · Score: 2, Interesting

      As I said, click-through spam is old news from a few years ago. I'm sure anyone could find examples in news.admin.net-abuse.sightings if they search through GoogleGroups .. um .. or maybe not. :^P

      --
      One line blog. I hear that they're called Twitters now.
    5. Re:Or vice versa by JohnFluxx · · Score: 2, Interesting

      The argument is that the password itself counts as security through obscurity. So in that case yes slashdot does use security through obscurity.

      If instead, for example, slashdot logged you in based on your ip, then that wouldn't be security though obscurity.

  2. Would this really bother them? by slavefishy · · Score: 2, Interesting

    Apart from being threatened, surely Google have sufficiently intelligent engineers to figure out a solution to this problem?

    No doubt the software would follow a particular pattern, which even in a large amount of data, could possibly be tracked and with regards to things like open proxies, it would surprise me if Google didn't already check for things like that.

  3. Re:It's not fraud by no+haters · · Score: 3, Interesting

    How is falsely inflating banner views and click-throughs not fraud? You are defrauding the company in order that they will pay you for advertising that was never "aired" to the public.

  4. Google uses pop ups? by slash-tard · · Score: 2, Interesting

    I havent seen any, I do use the google tool bar though.

    BTW, I have also devised a program to simulate fake activity. Use any of the windows based graphical macro programs, load google, search, click the ad, save macro, repeat it in a loop. You could do this in multiple VMWare sessions if you wanted to increase your "productivity".

  5. What a daft bugger. by ackthpt · · Score: 5, Interesting
    Spammers don't need programs like that. People who have ads on their web pages and want to generate hits on the ads would want that.

    Spammers, on the other hand, have now moved onto blogs lately. Fred Rodriguez, a rider Emeryville, CA, for italian team Aqua e Sapone has spams for the usual penis enlargment, diet pills, cheap computer eqz, etc. on his guest book. Spammers got no shame, just like this fool.

    --

    A feeling of having made the same mistake before: Deja Foobar
  6. Advertising on WebPages is a Joke by stecoop · · Score: 3, Interesting

    Every SlashDotter should click on every advertisement that you see on Slashdot. Slashodot will get paid and the advertisers will get a heavy bill - everyone wins.

    That would be a nice technology to add to Mozilla 1.x where it automatically hides the advertisement and treats it like a click through where advertisers get tired of paying out.

    1. Re:Advertising on WebPages is a Joke by jasonjacks0n · · Score: 3, Interesting
      That would be a nice technology to add to Mozilla 1.x where it automatically hides the advertisement and treats it like a click through where advertisers get tired of paying out.

      Actually, I've seriously considered writing a plugin along those lines.

      My idea is more of a "reward" thing .. basically, I don't particularly want to be bothered by ads, but it would be nice if I could click on a toolbar button called something like "reward 'em" and moz would do a virtual click on every ad on the page, but loading the results into a hidden window (or, in other words, retrieve the content but never display it). Maybe moz could even do it automatically (optionally of course) .. I have a fast connection and mostly wouldn't even notice the difference.

      That way I can help ensure that my favorite sites have a revenue stream .. think of it as a guerilla micro-payment scheme.

      --
      This space intentionally left blank.
    2. Re:Advertising on WebPages is a Joke by trippccn · · Score: 3, Interesting

      Albeit a great idea, in the end this would actually hurt the /.'s of the world because advertisers would find that their advertising dollars are less and less effective, pulling their budgets. Combine that idea with this:

      When you want to buy something, say a w00t shirt from thinkgeek, instead of going straight to thinkgeek, if the user had a small search application that would instantly pull up the thinkgeek banner ad from one of their favorite publishing sites and auto-clicked on it, both the click AND the sale would be attributed to /.

  7. robots as websurfers by nuffle · · Score: 4, Interesting

    This brings up some other related concerns about having robots browse pages, even when the intent is not malicious.

    Some ads on websites are sold 'per-view' and not 'per-click', but if a web-crawling robot hits it, should it count as a view? Are the authors of these bots stealing from the advertiser?

    A while ago I wrote a bot that posts to slashdot. He even had decent Karma for a while, before getting a bit confused. In any case, my bot would usually post some links in his comments, which could have the effect of altering the target's page ranking on Google (this was not his purpose though). Am I somehow culpable for cheating Google?

    Anyway, the point is that I think robots should have some limited rights to view pages and do human-like behavior on the net.

  8. Anyone remember AllAdvantage? by cr@ckwhore · · Score: 5, Interesting

    Anyone remember the company AllAdvantage (was that really the name?) that paid users to click on ads during the dotcom boom? I remember almost everyone was into it ... people were making hundreds, even thousands of dollers per month.

    Of course, none of the ad traffic was legitimate! There were tons and tons of scripts and programs that would click the ads for you ... set it up to run all night, go to sleep, wake up rich in the morning. That's probably why the thing was so popular!

    I remember the comany would implement anti-cheat methods every couple of weeks, even to the point of tracking mouse movements ... the idea being that if the mouse wasn't moving, but clicks were coming in, then it was a cheat.

    Ok, well... as always, cheaters take things to the next level. The ultimate cheat was one that surfed the web from a pre-determined list of web sites, while randomly moving the mouse cursor around the screen, and clicking every couple of seconds. Worked like a charm!

    No more AllAdvantage.

    Google has more sophisticated technology than AllAdvantage though... its almost impossible to cheat google. Even if this dumb-ass really did write a program to click ads on his own sites, google would catch that. There's AdSense partners getting canned every day for suspicion of cheating, when sometimes it's only as simple as an innocent erroneous click on their own ads. It happens... check the adsense forums. I doubt this guy would have been able to execute much of his plan successfully.

    --
    Skiers and Riders -- http://www.snowjournal.com
    1. Re:Anyone remember AllAdvantage? by CGP314 · · Score: 4, Interesting

      Wow, I forgot all about AllAdvantage. I still have an old website on fortunecity.com plugging that service. (I sadly want to gain control of that site again, but I forgot my username/password)

      As I remember it, you didn't get paid for clicking on the ads, AllAdvantage displayed a banner ad on the bottom of your computer and paid you to `look' at it. But all it really kept track of was if the mouse was moving.

      I had a friend send me a script to move the mouse around while I slept, but AA cought on to that pretty quickly.

      So, I just tied my mouse to a rotating fan. Sometimes the simplest solution is the best.


      -Colin

  9. Prior art! by AndroidCat · · Score: 2, Interesting
    I received spam that tried to generate fake click-throughs a couple years ago. I could dig out a copy of the LART I sent with the code used to the company that was being defrauded by the fakes. (I'm sure they were real impressed with the spammer.) Nothing new here.

    Or is this like the "on the Internet" patents? "I have a spam scam that really works--on Google!"

    --
    One line blog. I hear that they're called Twitters now.
  10. Paddy Power. by Kiffer · · Score: 2, Interesting

    A harbinger of organized crime to come? That's a real nice website you have here... a shame if anything were to happen to it..."

    Allready happened in Ireland with Paddy Power

    http://www.business.com/directory/media_and_ente rt ainment/amusement_and_family_entertainment/paddy_p ower_plc/news/
    and
    http://www.cnn.com/2004/WORLD /europe/02/23/online. hackers/

    or just google for Paddy Power and hackers

  11. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  12. I did the same thing.... by DeionXxX · · Score: 4, Interesting

    I uhhh... made the same program last year in January or so at a client's request. I was skeptical that I could defraud Google's AdWords, but I ended up being successful. Out of respect, I never gave the client's his program even though it worked and sent it over to Google and told them about their vulnerability.

    Defrauding Google, is like defrauding a family member or something...

    I'm glad this ass got caught.

    -- D3X

  13. Re:It's still not fraud by Moonpie+Madness · · Score: 2, Interesting

    i understand what you are saying, but i still disagree. the clicks themselves are part of the problem. If I were stalking a girl, my talking to her on the phone would be illegal speech invirtue of what they were a part of. obviously speaking to others is not a crime, though when it is part of a pattern of harassment or extortion each action is a crime. and it is fraud, it is an attempt to impersonate a clickthrough human when in fact its a bot. This may not seem like much, but it is fraud in the literal sense

  14. Um,,, by Lord+Kano · · Score: 1, Interesting

    Is this really illegal? Seriously.

    I mean, he created a product. He was planning to sell it, but if Google is better served by that product not making it to market isn't it common sense that they might want to buy it?

    For example, if I developed a way to run my automobiles using water as fuel or to get 200 miles per gallon of gasoline ,I'd offer to sell them to the big oil companies before I went to Ford and GM.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  15. My guessing the specs by Felinoid · · Score: 5, Interesting

    Google dosen't just have text link adds on Googles website. They also have ads on OTHER peoples websites and pay those websites for that.

    With out banner adds or pop ups (Thwap the guy who called Google ads POP UPS) you'll need some software on your server to make this work.

    Im guessing this guy hacked this software so he can send bad any data he wants and is expecting Google to act like Microsoft and pay to keep it quiet.

    He picked the wrong target. Find a defect in Windows.. a nasty one.. and bribe Microsoft to stay quiet. They appear all fine with the extrotion scams and all about security by obscurity.
    (I'm joking BTW.. Try that and Microsoft will thump you something nasty AND clame your defect is fraudulent)

    --
    I don't actually exist.
  16. Similar trick... by D.+Book · · Score: 2, Interesting

    Most websites with ads these days use third-party ad networks such as ValueClick. And as someone who runs such a site I've always been worried about the possibility of this one: if some kiddie dislikes me or my website for whatever reason, it's child's play to starve it of ad revenue. Just point your proxies my site's ads and make them click. The ad network will see the click-through ratio skyrocket, and instantly conclude I'm attemtping to defraud them. My account gets suspended. The site is starved of ad revenue, and possibly blacklisted so I can't just move to another network.

    For years I've worried about this more than I do about DDoS attacks, wondering how long it would be before the kiddies take to this kind of attack. So far they haven't.

  17. Re:The fine line.... by rev_sanchez · · Score: 2, Interesting

    It's all in the marketing. He should have offered it as a "diagnostic tool" for their Ad Words feature and offered them an "exclusive partnership" with this project for $100,000.

    --
    If you didn't come to party don't bother knocking on my door. Prince '1999'
  18. Only with Google by KalvinB · · Score: 3, Interesting

    was I able to make a little over $5 with only 3 clicks on the ads I'm displaying. I used Commission Junction for about a year and racked in 70,000+ impressions with about 7000 click thrus. Didn't make a penny. That's why I went to a subscription based web-site. After a review not too long ago I decided to cut down the number of sections that require a pass. Those major sections that don't require a pass now have Google Ads.

    The rate variance is why Google doesn't tell you how much a click is worth. It varies from a few cents to a few dollars and possibly more depending on the ad. I run a programming site so I get some expensive programming ads.

    Google is being incredibly generous with their AdSense program and I would hope Google would be able to find a way to take out the idiots who try to abuse it rather than cripple the program.

    At the start all ad programs paid decently for click-thrus but morons abused it and morons ran the programs so they couldn't deal with it. Or they simply decided they could make more money if they went pay per sale since the advertisers would get the same amount (or more since web-sites got desperite and would flood visiters) of exposure for a lot less money.

    It's an absolutly retarded program from a publisher's view. You basically have to sell the ad. You have to dedicate the page the ad is on to the ad so that people will buy what the ad is selling. The standard is about a 1.0% click-thru rate. And of those you now have a fraction of a percent that will compulsive buy. I had one text ad with Commission Junction that did a 10% click thru rate. But I would only get paid if someone bought the book right then. Nobody did so I never got paid. But the seller got lots of free publicity.

    One major game development web-site I know has basically signed up for every ad program on the planet and then ran it through their custom script that selects which program to display an ad from to the visitor. I noticed they have Google Adsense worked into the mix as well. I have to wonder how much that stupid monkey and other flashing banners are worth that they don't just stick with Google and dump the rest of the ad systems.

    Ben

    --
    Work Safe Porn