AdSense click-bombing is one of the most malicious attacks that can plague an online business. For the uninitiated, this type of attack aims to generate a large number of AdSense ad visits over a short period of time. Google is extremely strict when it comes to fake clicks and unnatural amounts of ad clicks. So much so, that it can easily lead to permanently banning down the user’s AdSense account.

Background 

A husband-and-wife business duo reached out to report unnaturally large numbers of clicks coming from a USA-based visitor. They investigated immediately to learn that all of the clicks were direct visits, and all seemed to be targeting one particular ad.  

Their web-based app is their main source of income. Suspecting sabotage attempts from a competitor, or a malicious bot, they worked quickly to identify the issue. Fully aware that Google may discover this and flag it as fraudulent tampering, they attempted to remedy the situation by taking the following steps:  

  • They blocked the user-agent of the visitor .
  • They completely archived and removed ad codes from their website.  
  • They purged all of the caches on the web server.

Despite their attempts, the malicious clicks just kept coming. Their CTR was through the roof! From the picture below, you can see that only 11 impressions generated 239 clicks. In layman’s terms, it would mean that someone visited the website 11 times and clicked on an ad for a total of 239 times.

On closer inspection, all of the visits came from a single device – SM-6960U. This is a model number for a Samsung Galaxy S9. Whether or not this was the exact device isn’t certain, as these IDs can be faked and spoofed with ease.

Analysis and Implementation 

Once this project was awarded, here are the corrective actions I have taken to help the business recover:  

  • I installed Stat Counter – the client only had Google Analytics at the time. Stat Counter had an advantage, letting us immediately pinpoint the visitor’s IP address and find out their location. I reported my findings to Google immediately on discovery.  
  • I advised client to purchase Cloudflare Premium. This would allow them to block the user’s IP address. 
  • This still didn’t stop the clicks from coming. From this point on, I assumed that the visitor was using a VPN of some kind to click-bomb my client’s website. I have a private database of all of the VPN IPs. I blocked all of them from accessing the website.  
  • I discovered a lot of AdSense users reported similar issues. I concluded that this was either a malicious bot or a bug in Google’s AdSense.  

After a few days, blocking the VPNs proved to be successful. There were no more malicious clicks. I submitted a detailed report of my findings to Google, for further investigation. Google responded saying that they discovered the root cause, but couldn’t reproduce the issue again. They asked us to report back to them if another incident like this occurs.  

Aftermath and Useful Advice 

Following the incident, the website’s SEO took a hit. Fortunately, it is slowly making a recovery and slowly regaining its deteriorated ranking and lost visitors.  

If this, or something similar ever happens to you – be sure to report it to the Google AdSense Team as soon as you can. You can use the Invalid Clicks Contact Form. Be sure to provide all of your traffic logs and as many details as you can. Additionally, you can use tools like Stat Counter or Imperva to block the IP address of the malicious visitor. If you are using WordPress, you can use a plugin such as WP Advanced Ads to only allow search engine visitors to see the ads.