New email extortion scams that combine elements of distributed denial of service (DDoS) attacks and “click fraud” have been spotted in the wild. The would-be extortionists are targeting publishers with websites that are monetized with Google AdSense, threatening to use bots to generate fraudulent traffic.
A new twist on email extortion scams?
To understand how these new email extortion scams work, you need to understand a little about internet advertising.
Websites that publish content and monetize it with ads, such as blogs and magazines, often make use of services like Google AdSense to bring in revenue. AdSense automatically serves targeted ads to site visitors based on demographic data it has gathered about them. These internet advertising programs are sometimes run on a “pay per view” basis, but are much more frequently a “pay per click” model. The website hosting the ad gets paid based on the amount of people that click through the ads it is displaying.
Naturally, possibilities for fraud exist by generating fake traffic that appears to be actual people clicking on ads. Google and similar ad networks have anti-fraud detection measures in place to thwart such actions. If Google detects attempted “click fraud” it can suspend the site’s ad account, or even potentially close it for good.
Click fraud is nothing new. People have used it for years to not only pump up their own ad revenue, but also harm competitors. However, these things are usually done in the shadows. The new and novel twist here is the extortion attempt in advance by email.
Krebs on Security published an example message from one of these email extortion scams, sent to an anonymous publisher from a group calling itself Adsense Syndicate. Written in broken English, the email reads as follows:
“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”
The extortionists conclude with a demand to be paid $5,000 in Bitcoin within 72 hours.
Is this scam a serious concern?
To the casual observer, this might initially seem to be a laughable extortion attempt. Couldn’t a publisher simply take the threatening email to Google as evidence of the cause of an unusual surge in questionable traffic?
Perhaps, but this scam plays on the fact that Google is notoriously hard to communicate with. It tends to be very difficult to get in touch with an actual person, even for publishers that do substantial business through their AdSense program. The company relies heavily on automated tools and algorithm for detection of fraud, enforcement, and the handling of complaints in the aftermath.
The criminals behind these email extortion scams are betting that at least some publishers will see a payoff as a cheaper option than potentially having an account suspended and then being unable to contact Google to straighten the matter out.
For their part, Google characterizes this type of attack as “extremely rare in practice” and claims it has “extensive” tools and processes in place to recognize and filter out inauthentic traffic. The company refers publishers to a contact form (available once signed into an AdSense account) meant for attempts at sabotage and advises them to have no further contact with the scammers.
For this scam to be plausible, the attackers would need to demonstrate that they can reliably defeat Google’s automated security methods with their botnet and tools. Google has been grappling with click fraud for years now, though the battle to this point has centered more on shady sites attempting to enrich themselves with fake clicks than threats of spiked traffic. The company’s annual “bad ads” report provides some insight into this process and its efficacy. The most recent report, published in March 2019, indicates that the company removed ads from 28 million webpages and 1.5 million apps in 2018. Though Google has faced criticism for being too passive in addressing click fraud, the company revealed that it worked with the FBI in 2018 to take down a particularly large and sophisticated international ad fraud scheme that would be on the scale of what the current email extortion scams are threatening to do.
Nevertheless, some security analysts feel that this may actually be a viable emerging field of cyber crime given the sophistication and recent prevalence of DDos-based attacks. As Deepak Patel, security evangelist at PerimeterX, observed: “The new wave of business logic attacks are using advanced bots that can mimic human behavior and use hyper-distributed IPs to cause serious disruptions. With dwindling revenues from network DDoS attacks and increasing access to low-cost infrastructure, attackers are improvising and moving up the chain.”
Another factor is the somewhat limited scope of sites earning significant enough revenue from AdSense to be a viable target. Using this case as an example, the ransom demand of $5,000 would be excessive unless the site was making that much on at least about a weekly basis. AdSense clicks pay anywhere from about two cents to $1 USD each. The average click-through rate varies by industry but was about 3.17% in 2019 across all types of businesses. Sites that could viably be extorted in this way would thus be limited to those seeing at least hundreds of thousands of unique verifiable visitors per week, if not in the millions. At a “pay per impression” rate (about $1 for every 1,000 impressions), a site would need to be drawing at least a few million visitors per week to even consider making this payment. Relatively few sites manage to do those kinds of numbers.
The email extortion scamsters could simply scale down their demands, but they would quickly hit a point at which hiring humans (at a “click farm” or something similar) to assist would be cost-prohibitive. They would depend entirely on access to a substantial botnet combined with advanced methods capable of fooling Google, which would narrow the pool of potential perpetrators down considerably.
Though it is highly likely that whoever is currently perpetrating these email extortion scams is blowing hot air, this method is far from impossible. Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, has some advice for publishers who display AdSense ads and are concerned about this scheme: “Deploying a web application firewall (WAF), enhanced with a bot filtering system, may considerably reduce the risks of falling victim to this emerging vector of digital blackmailing.”