Man Accused of Attempting to Extort Google

sandalwood writes "A programmer has been arrested on charges of attempting to "threaten Google with a software program he devised that creates phony clicks on pop-up advertisements delivered by Google. Google pays Web site publishers companies a certain amount for legitimate hits on those ads, but Bradley created a method that generates false clicks that appeared to be real Internet traffic, which would have repeatedly defrauded Google... Bradley contacted Google in early March, informing company officials that he had created the program and wanted $100,000 to keep him from selling it to spammers, according to an affidavit by a U.S. Secret Service agent." A harbinger of organized crime to come? That's a real nice website you have here... a shame if anything were to happen to it..."

Re:Or vice versa

[stonebeat.org]

actually this will not work. Google use statistical data to stop the user from doing this. It will almost have to be a DDOS attack (i.e. have thousands of IP addresses click on the AD) to pull this off. In that case it would be much easier just to DDOS the website of your competitor. Just like what happened to SCO.com

Re:It's not fraud

[Moonpie Madness]

He didnt click on banners and is not charges with doing so. He is charged with threatening to harm their ability to make money, the means to which are clearly wrong. He said 'gimme some money, or i release a nefarious program' that request is the crime, not the actions themselves.

How IS it fraud?

[Anonymous Coward]

"How is falsely inflating banner views and click-throughs not fraud?"

You'd be better off asking if it IS fraud.

"You are defrauding the company in order..."

No fraud is possible doing clicks like this. The crime is the guy's extortion threat.

Story Full of Errors?

[0x0d0a]

I've yet to see Web-based advertising of Google, much less pop-up advertising. This makes me think that the story is simply wrong, and reversed the roles.

* Google does not provide "pop-up ads". They provide text-based ads.

* Google does not pay website owners for AdWords. The owners pay Google to for advertising space on Google.

This is my 5000th post.

No results, but five advert boxes

[blorg]

Ironically, while that exact search does actually come up with 0 results, there are 5 'sponsored links' offering 'Secrets behind AdWords', 'Create AdWords Cash' and so on...

Re:Or vice versa

[AndroidCat]

That's why the article mentions spammers. The (old) trick works by sending out spam that generates a click-through when someone opens the email. (Or previews it in LookOut.) That way it comes from a whole bunch of IP addresses of people dumb enough to allow HTML script to run in their email.

Re:Story Full of Errors?

[Exodious]

* Google does not pay website owners for AdWords. The owners pay Google to for advertising space on Google.
Not true. You can use their adsense program. I think /. uses it sometimes as well.
http://www.google.com/services/ [google.com] http://www.google.com/adsense [google.com]

Ha ha, but AdWords among most effective ads on net

[blorg]

If I'm actually looking to buy something, and I see an ad that is *relevant*, sure I'll click on it. We advertise heavily on AdWords ourselves and get a phenomenal amount of traffic on them, with click-throughs over 25% on certain keyword combinations.

Re:Story Full of Errors?

[nsingapu]

Google does not pay website owners for AdWords. The owners pay Google to for advertising space on Google.

Google does pay website owners for displaying adwords, in its adsense program [google.com].

The problem with the guys attempted extortion is that google charges advertisers more then it pays out on the adds, and as such this guys program, if sucessful, still makes google a buck. That said the amount advertisers pay on adds is determined by a number of criteria such as CTR (which is why googles adds are generally of good quality; better, more relevant, and therefore more clickable adds can be put in top positions for less then irrelevant adds) and as such something of this nature could potentially really screw up advertising related statistics and revenue for google.

Re: I believe we are talking about the sidebar ads

[Anonymous Coward]

I believe that we are talking about the google sidebar ads. This program could be devastating for a small time organization trying out the ad system provided as a single run could quickly bust the advertisement budget - Contrary to what someone else mentioned it does not take a DDOS like run or attack to do that, just target the specific keywords that a site uses and bam! Disaster is knocking. Hope google at least makes sure the clickthrough is based on unique IP's in the future. That would make it a little harder for such a program... but alas not impossible.

Organized crime is already in on it

[Len]

A harbinger of organized crime to come? That's a real nice website you have here... a shame if anything were to happen to it...

This has been going on for a while. Just last week, for instance, [theregister.co.uk] some bookie sites in the UK were DoS'd and then received demands for money.

Re:Or vice versa

[AndroidCat]

Yep, too late--some damned fool [google.ca] already posted about that trick to news.admin.net-abuse.email back in May of 2001. D'OH! :^)

Re:Or vice versa

[Anonymous Coward]

1. Company pays google to create ads

2. You to place those ads on your site

3. Google pays you a fraction of the ad revenue

Re:Or vice versa

[Anonymous Coward]

There is a valid methods for doing this. I know more than one, orginally I was going to post it, but greedy slimy business men might read this and get a programmer to write it. A little unknown fact, right from a GOOGLE engineer, and I quote "We DO NOT check for spam clicking". Guys, THIS IS ALREADY BEING DONE. THIS is not new news. I Hope the FBI does their job and get the a--holes that are doing. Google is not the ONLY victim, Looksmart, overture ( yes overture, i know about the split servers to prevent double clicking, might want to try a more elegant solution) . While this is not rampant, it is being done in HIGHLY competive spaces. I know for a fact these devices are in place.

Google, and the other search engines know about this, and done very little to stop mass clicking.

This costs the small companies a lot of cash, because you will have bigger enties running a software application and bringing up their PPC costs. Plus the fact, most smaller companies are not as indept in PPC marketing.

Sincerly,

Anonymous Coward

Ok, I know this is nit-picky...

[mystery_bowler]

...but...

extortion != organized crime

This is one programmer acting alone (and stupidly). Organized crime requires an organization. If the programmer had been hired by someone else who had the idea to extort Google but not the technical know-how, this would be organized crime.

Re:Wacky myths

[goatan]

Check out when the car seat-belt was introduced. Exactly when the patent expired! It was offered to all car manufacturers to save lives - exactly none of them touched it, untill the patent expired and they did not have to pay for it

Untrue As the following timline shows there were seat belts of diffrent types on cars before and after the patent was issued

1930's Several U.S. physicians equip their own cars with lap belts and begin urging manufacturers to provide them in all new cars

1954 Sports Car Club of America requires competing drivers to wear lap belts

1955 Society of Automotive Engineers (SAE) appoints Motor Vehicle Seat Belt Committee

1956 Volvo markets 2-point cross-chest diagonal belt as accessory For and Chrysler offer lap belts in front as option on some models Ford begins 2-year ad campaign based on safety, focusing heavily on belts

1957 Volvo provides anchors for 2-point diagonal belts in front

1958 Nils Bohlin, a design engineer with Volvo in Sweden, patents the "Basics of Proper Restraint Systems for Car Occupants," better known as a three-point safey belt. The device comprises two straps, a lap strap and shoulder strap. ** Volvo provides anchors for 2-point diagonal belts in rear

1959 Volvo introduces 3-point belt in front as standard, in Sweden

1961 SAE issues standard for U.S. seat belts (J4) Standards Association of Australia issues standard for "safety belts and harness assemblies"

1962 U.S. manufacturers provide seat belt anchors in front outboard as standard

1963 Volvo introduces 3-point belt in front as standard, in USA SAE issues revised standard (J4a)

1964 Most U.S. manufactures provide lap belts at front outboard seat positions Victoria and South Australia require seat belt anchorages at front outboard positions in new cars (either 2- or 3-point permitted)

1965 U.S. Commerce Dept. issues first seat belt standard (adopted SAE standard) SAE issues revised standard (J4c) Some U.S. manufacturers provide automatic locking retractors (ALRs) in front seat belts

1966 Swedish regulations prohibit 2-point cross-chest diagonal belt at seats next to a door, and Y-type of 3-point belt altogether U.S. Commerce Dept. issues revised seat belt standard (SAE j4c) Sports Car Club of America requires competing drivers to wear a shoulder harness as well as a lap belt (perhaps 1967, according to ref. 131)

1967 Society of Automotive Engineers study at UCLA leads to calls for two-point seat belts, highback seats and other occupant protection strategies for school buses. Volvo introduces 3-point belt in rear as standard, certain markets Great Britain requires 3-points in front outboard positions Australian standard for belt anchorages issued South Australia requires seat belts (lap belts OK) at front outboard positions

1968 Volvo provides emergency locking retractors (ELRs) as standard in front, in Sweden Great Britain requires retrofit of 3-point belts in front in MY 65 and newer cars Many U.S. cars this MY provide ELRs. 3 point harness is now legislation in the US.

1969 Sweden requires 3-point belts of approved type in front seats. Volvo provides 3-point belt in rear as standard, all markets Mercedes-Benz adds 3-point belt in rear outboard seats as standard, all markets Japan requires seat belts, front and rear Australia requires 3-point belts, front outboard seats, all cars registered since 1965

1970 Sweden requires belts in rear (diagonal and static allowed; lap-only not approved) Victoria, Australia requires 3-point belts, front and rear and mandates use, front and rear

1971 Volvo provides ELRs as standard in rear, all markets NHTSA amends FMVSS 208 to require passive restraints in front, to be effective

1973 New South Wales requires use of seat belts

1972 Volvo introduces adjustable B-post anchor point (not standa

Re:This is better done by people

[LetterJ]

A buck or 2? You should check out what they're paying in categories like home mortgages. In lots of those categories, the rates are closer to $10-15 PER CLICK. In most categories of pay-per-click engines, it's really difficult to stay under $0.50 or even a dollar.

Re:Pop-up's? -- Maybe they were confused

[fuzzybunny]

Google doesn't, and this is outside the scope of this article, but I've seen phony pop-ups delivered by quite a few scam sites. They'll use the (now "fixed") IE bug of URL forgery (create a link using http://www.google.com%01%00@badsite.com and IE only ses http://www.google.com), have badsite.com be nothing but a pass-through redirect to google.com with a few web bugs and stuff, and pop up an ad purporting to originate with google.)

You get this quite a lot with amazon and paypal among others, both for people phishing for account details, and for unscrupulous advertisers trying to present their 'product' as something originating with the legitimate site that loads in the background.

Microsoft issued a patch which flat-out prohibits use of '@' in http URLs without some registry changes. Maybe the authors just got their facts mixed a bit.

Re:Or vice versa

[Permission Denied]

The (old) trick works by sending out spam that generates a click-through when someone opens the email.

Presumably Google is smart enough to check referer logs when charging for adwords. If they don't check referers, a much simpler and more reliable attack is to embed a 1px by 1px iframe in your own high-traffic website.

25%, I shit you not

[blorg]

That 25% is only on a few very specific search phrases, but we honestly do get that high on those phrases. The reason is that for those phrases we are more relevant than the actual search results *in our geographic area*.

We get 10%+ click-through on the most completely generic term for the site. It could possibly be higher, but we also rank first in the normal search results for that term, if you limit your search to one particular country or use the country name as part of the search. Being able to limit AdWords to individual countries is one of the great things about Google - Overture isn't half as good in this regard.

Our *average* click-through over all phrases is much lower, at 3%, largely because with a lot of the other product words we use, people *would* be just searching for information on the product, rather than with a view to purchase. We could raise the click-through by only displaying ad if the search term included words such as 'buy', 'purchase', etc. but 3% is well above Google's cut-off and we aren't paying for the extra impressions, only the clicks, so this suits us fine. We still rank first on most of these search terms (e.g. competing AdWords are seen as less relevant).

Re:Or vice versa

[Camel Pilot]

I have had similar experiences. Overture (aka yahoo) attempts to console you with their Click Protection buzz words. But in reality they do not filter out the even the most basic fraudulent clicks.

Here is summary of my recent experience with Overture's Click Protection [perlworks.com] program. Overture e-mail responses are almost unbelievable.

Overture claims to provide "Click Protection" for their pay-per-click advertising service. In reality they fail to prevent the most basic and easiest to detect non-authentic clicks - that is competitors clicking on competitors. They do not even filter out a customer clicking on their own links from within the Overture manager. Nor do they provide a method for an advertiser to test their own ad rendered URL's - a necessary function as a means to test the validity of an entered URL. Since filtering out such clicks would be simple and straight forward using established cookies or session id's - I can only speculate the reasons for not patching this obvious flaw and question the "sophistication of Overtures "Click Protection".

Re:Or vice versa

[SnappleMaster]

Security through obscurity is not bad. But if a system relies upon it as a main line of defense, the system is flawed. The moment the obscurity is broken, the system is compromised.

Obscurity can be broken trivially. But security cannot be broken by a simple discovery of a hole in the algorithm.

Why should we "brainstorm" against a system that is secure only through obscurity? Because someone *will* break the "security" and then all users will be screwed. Better to do it sooner than later and force it to be improved.

Re:Or vice versa

[SnappleMaster]

"If they don't check referers, a much simpler and more reliable attack is to embed a 1px by 1px iframe in your own high-traffic website."

That's silly. For one thing, how many of us own a high-traffic website? For another, if you're going to do that why not just write a script to hammer google with requests? Would google really care about the difference? If they see a high-traffic website hammering them and suspect foul play they'll examine the source and see that it is malicious. In the end they'll consider you as bad as the script kiddie.

Not too original

[Anonymous Coward]

Posting anonymously because I should :)

Anyone remember those annoying click competitions that were popular last year? Someone sends you a link, you click on it, and you added one thug to thier gang or one prostitute to thier harem or something. The strongest gang/pimp/whatever at the end of the month wins a ps2 or other prize. Well, being the perl monk I am, I decided to help a friend of mine win himself a ps2.

First step was to get a list of proxies. Not too hard there. I remember 10-15 websites that listed anywhere from 100 to 2000 open web proxies each. I wrote a quick perl script to scrape the page for the host and port (was a nice script, even worked inside tables) and write them to a file. I has a second script that actually tested those proxies. I ended up with around 5000 working proxy servers.

The next step was to write a script to attach to the proxy, click the link, follow the redirect, load all images, and verify that everything worked. I love pthreads :)

Every day I'd run that script and he'd get another 5k thugs. He actually won 3 months in a row. I think he got a ps2, GBA, and a $200 amazon.com gift certificate (which he promptly gave to yours truly :).

Anyway, the point of this is that its not too tough to use proxies to defraud pay-per-click stuff. You can use it to your benefit to earn yourself some fradulent $. You can use it to your benefit to cost your competitors $ (via pay-per-click adwords). Or you can use it to vote in online polls (Ever wonder how those votes on MTV change drasticaly in the last few minutes? Thank Larry Wall!)

Re:Or vice versa

[vrai]

The slashdot password system is not security through obscurity. It's a (hopefully) secure system that relies on a private token. Anyone can download the source code to Slashdot, but knowledge of how it works doesn't allow you to compromise the an given account.

As a more common example, take PGP. PGP uses a well known algorithm, but that does not make PGP insecure. Even if you steal a person's private key - you can only compromise their date, other PGP users are safe.

Security through obscurity is when a system is only secure if its workings/algorithms remain secret. For any system that is to be distributed outside of a controlled environment this is a very bad idea, as it's almost guaranteed that someone will crack it.

Extortion is alive and well online...

[leviramsey]

There's a few gangs based in Eastern Europe that are using Windows machines infected with viruses/worms to DDoS gambling sites unless $5,000/month in protection money is paid up.

And let's not forget SCO...

TCP Spoofing in a nutshell

[0x0d0a]

It amazes me the number of people that talk about IP spoofing. All their wild theories can be shot down by asking "What happens when you send out thatfirst packet and it comes back to confirm it?"

TCP spoofing is quite possible. It's just difficult, and has become progressively more difficult.

Say we have just the idea of a basic handshake (without worrying about the way TCP works for a moment). Host A sends a packet to Host C purporting to come from Host B. Host C sends a packet to Host B saying "you really want to open this connection?". Host A waits a short period of time, then sends another packet to Host C claiming to be from Host B saying "yup, open it". Handshake completed.

Now, in TCP world, there are a couple of complications. First, Host B is supposed to respond back when it gets the "do you want to open this packet" question from Host C with a "Nope, blow away the connection" response. So, just for starters, Host B has to be unresponsive. That means that it might be a good idea for Host C to compromise a bunch of hosts and flood Host B starting sometime before sending that first forged packet to Host A. This bumps Host B's packet loss rate up to, say, 90%. That means that there's an awfully good chance that the "Do you want to connect" message never gets through to B...all C has is the forged response from A, so it considers the response valid and opens the connection.

Then we have sequence numbers. TCP uses sequence numbers to ensure that packets don't get lost or out of order. A's bogus response to C has to have a sequence number based on the number that A included in its "do you want to connect" message to B. The traditional way to get around this was to have C try to open a (non-forged) connection to A. A's response contains a sequence number. C ignores this response, and when A sends out its first packet to B, as long as nobody else has opened any connections in the interim, it uses a starting sequence number that is, say, one greater than the previous starting sequence number. At least, there is some form of correlation that C can use to determine the sequence number being sent to B that will allow it to forge a packet with a valid sequence number.

Most modern machines, to avoid exactly this sort of attack, generate an "unpredictable" number. However, since entropy (I guess you'd call entropy "stored unpredictability" -- data based entirely on unpredictable events from outside the computer's operating environment) comes in at a pretty limited rate in a typical machine, machines tend to just mangle some data in a hard-to-predict manner and use it to derive a starting sequence number for the next connection. Ideally, this sequence number cannot be predicted by host A -- in reality, it's possible that host A might manage to do so, if controlled by someone that's figured out a way to predict the output of the algorithm being used by host C.

If the A and C machines are both on a fast network (a business or university, say), it might even be possible to forge a connection through brute-force guessing of the next sequence number.

So, spoofing a TCP connection is difficult, but feasible. TCP is definitely not considered to be secure as a cryptographer would consider something to be secure.

So it's a good move to avoid using IP-based authentication.