Man Accused of Attempting to Extort Google 302
sandalwood writes "A programmer has been arrested on charges of attempting to "threaten Google with a software program he devised that creates phony clicks on pop-up advertisements delivered by Google. Google pays Web site publishers companies a certain amount for legitimate hits on those ads, but Bradley created a method that generates false clicks that appeared to be real Internet traffic, which would have repeatedly defrauded Google... Bradley contacted Google in early March, informing company officials that he had created the program and wanted $100,000 to keep him from selling it to spammers, according to an affidavit by a U.S. Secret Service agent." A harbinger of organized crime to come? That's a real nice website you have here... a shame if anything were to happen to it..."
Re:Or vice versa (Score:5, Informative)
Re:It's not fraud (Score:2, Informative)
How IS it fraud? (Score:1, Informative)
You'd be better off asking if it IS fraud.
"You are defrauding the company in order..."
No fraud is possible doing clicks like this. The crime is the guy's extortion threat.
Story Full of Errors? (Score:2, Informative)
* Google does not provide "pop-up ads". They provide text-based ads.
* Google does not pay website owners for AdWords. The owners pay Google to for advertising space on Google.
This is my 5000th post.
No results, but five advert boxes (Score:5, Informative)
Re:Or vice versa (Score:5, Informative)
Re:Story Full of Errors? (Score:3, Informative)
Not true. You can use their adsense program. I think
http://www.google.com/services/ [google.com] http://www.google.com/adsense [google.com]
Ha ha, but AdWords among most effective ads on net (Score:4, Informative)
Re:Story Full of Errors? (Score:4, Informative)
Google does pay website owners for displaying adwords, in its adsense program [google.com].
The problem with the guys attempted extortion is that google charges advertisers more then it pays out on the adds, and as such this guys program, if sucessful, still makes google a buck. That said the amount advertisers pay on adds is determined by a number of criteria such as CTR (which is why googles adds are generally of good quality; better, more relevant, and therefore more clickable adds can be put in top positions for less then irrelevant adds) and as such something of this nature could potentially really screw up advertising related statistics and revenue for google.
Re: I believe we are talking about the sidebar ads (Score:1, Informative)
Organized crime is already in on it (Score:5, Informative)
Re:Or vice versa (Score:3, Informative)
Re:Or vice versa (Score:1, Informative)
2. You to place those ads on your site
3. Google pays you a fraction of the ad revenue
Re:Or vice versa (Score:3, Informative)
Google, and the other search engines know about this, and done very little to stop mass clicking.
This costs the small companies a lot of cash, because you will have bigger enties running a software application and bringing up their PPC costs. Plus the fact, most smaller companies are not as indept in PPC marketing.
Sincerly,
Anonymous Coward
Ok, I know this is nit-picky... (Score:3, Informative)
extortion != organized crime
This is one programmer acting alone (and stupidly). Organized crime requires an organization. If the programmer had been hired by someone else who had the idea to extort Google but not the technical know-how, this would be organized crime.
Re:Wacky myths (Score:2, Informative)
Untrue As the following timline shows there were seat belts of diffrent types on cars before and after the patent was issued
1930's Several U.S. physicians equip their own cars with lap belts and begin urging manufacturers to provide them in all new cars
1954 Sports Car Club of America requires competing drivers to wear lap belts
1955 Society of Automotive Engineers (SAE) appoints Motor Vehicle Seat Belt Committee
1956 Volvo markets 2-point cross-chest diagonal belt as accessory For and Chrysler offer lap belts in front as option on some models Ford begins 2-year ad campaign based on safety, focusing heavily on belts
1957 Volvo provides anchors for 2-point diagonal belts in front
1958 Nils Bohlin, a design engineer with Volvo in Sweden, patents the "Basics of Proper Restraint Systems for Car Occupants," better known as a three-point safey belt. The device comprises two straps, a lap strap and shoulder strap. ** Volvo provides anchors for 2-point diagonal belts in rear
1959 Volvo introduces 3-point belt in front as standard, in Sweden
1961 SAE issues standard for U.S. seat belts (J4) Standards Association of Australia issues standard for "safety belts and harness assemblies"
1962 U.S. manufacturers provide seat belt anchors in front outboard as standard
1963 Volvo introduces 3-point belt in front as standard, in USA SAE issues revised standard (J4a)
1964 Most U.S. manufactures provide lap belts at front outboard seat positions Victoria and South Australia require seat belt anchorages at front outboard positions in new cars (either 2- or 3-point permitted)
1965 U.S. Commerce Dept. issues first seat belt standard (adopted SAE standard) SAE issues revised standard (J4c) Some U.S. manufacturers provide automatic locking retractors (ALRs) in front seat belts
1966 Swedish regulations prohibit 2-point cross-chest diagonal belt at seats next to a door, and Y-type of 3-point belt altogether U.S. Commerce Dept. issues revised seat belt standard (SAE j4c) Sports Car Club of America requires competing drivers to wear a shoulder harness as well as a lap belt (perhaps 1967, according to ref. 131)
1967 Society of Automotive Engineers study at UCLA leads to calls for two-point seat belts, highback seats and other occupant protection strategies for school buses. Volvo introduces 3-point belt in rear as standard, certain markets Great Britain requires 3-points in front outboard positions Australian standard for belt anchorages issued South Australia requires seat belts (lap belts OK) at front outboard positions
1968 Volvo provides emergency locking retractors (ELRs) as standard in front, in Sweden Great Britain requires retrofit of 3-point belts in front in MY 65 and newer cars Many U.S. cars this MY provide ELRs. 3 point harness is now legislation in the US.
1969 Sweden requires 3-point belts of approved type in front seats. Volvo provides 3-point belt in rear as standard, all markets Mercedes-Benz adds 3-point belt in rear outboard seats as standard, all markets Japan requires seat belts, front and rear Australia requires 3-point belts, front outboard seats, all cars registered since 1965
1970 Sweden requires belts in rear (diagonal and static allowed; lap-only not approved) Victoria, Australia requires 3-point belts, front and rear and mandates use, front and rear
1971 Volvo provides ELRs as standard in rear, all markets NHTSA amends FMVSS 208 to require passive restraints in front, to be effective
1973 New South Wales requires use of seat belts
1972 Volvo introduces adjustable B-post anchor point (not standa
Re:This is better done by people (Score:2, Informative)
Re:Pop-up's? -- Maybe they were confused (Score:3, Informative)
You get this quite a lot with amazon and paypal among others, both for people phishing for account details, and for unscrupulous advertisers trying to present their 'product' as something originating with the legitimate site that loads in the background.
Microsoft issued a patch which flat-out prohibits use of '@' in http URLs without some registry changes. Maybe the authors just got their facts mixed a bit.
Re:Or vice versa (Score:3, Informative)
Presumably Google is smart enough to check referer logs when charging for adwords. If they don't check referers, a much simpler and more reliable attack is to embed a 1px by 1px iframe in your own high-traffic website.
25%, I shit you not (Score:4, Informative)
We get 10%+ click-through on the most completely generic term for the site. It could possibly be higher, but we also rank first in the normal search results for that term, if you limit your search to one particular country or use the country name as part of the search. Being able to limit AdWords to individual countries is one of the great things about Google - Overture isn't half as good in this regard.
Our *average* click-through over all phrases is much lower, at 3%, largely because with a lot of the other product words we use, people *would* be just searching for information on the product, rather than with a view to purchase. We could raise the click-through by only displaying ad if the search term included words such as 'buy', 'purchase', etc. but 3% is well above Google's cut-off and we aren't paying for the extra impressions, only the clicks, so this suits us fine. We still rank first on most of these search terms (e.g. competing AdWords are seen as less relevant).
Re:Or vice versa (Score:5, Informative)
Here is summary of my recent experience with Overture's Click Protection [perlworks.com] program. Overture e-mail responses are almost unbelievable.
Re:Or vice versa (Score:2, Informative)
Obscurity can be broken trivially. But security cannot be broken by a simple discovery of a hole in the algorithm.
Why should we "brainstorm" against a system that is secure only through obscurity? Because someone *will* break the "security" and then all users will be screwed. Better to do it sooner than later and force it to be improved.
Re:Or vice versa (Score:2, Informative)
That's silly. For one thing, how many of us own a high-traffic website? For another, if you're going to do that why not just write a script to hammer google with requests? Would google really care about the difference? If they see a high-traffic website hammering them and suspect foul play they'll examine the source and see that it is malicious. In the end they'll consider you as bad as the script kiddie.
Not too original (Score:2, Informative)
Anyone remember those annoying click competitions that were popular last year? Someone sends you a link, you click on it, and you added one thug to thier gang or one prostitute to thier harem or something. The strongest gang/pimp/whatever at the end of the month wins a ps2 or other prize. Well, being the perl monk I am, I decided to help a friend of mine win himself a ps2.
First step was to get a list of proxies. Not too hard there. I remember 10-15 websites that listed anywhere from 100 to 2000 open web proxies each. I wrote a quick perl script to scrape the page for the host and port (was a nice script, even worked inside tables) and write them to a file. I has a second script that actually tested those proxies. I ended up with around 5000 working proxy servers.
The next step was to write a script to attach to the proxy, click the link, follow the redirect, load all images, and verify that everything worked. I love pthreads
Every day I'd run that script and he'd get another 5k thugs. He actually won 3 months in a row. I think he got a ps2, GBA, and a $200 amazon.com gift certificate (which he promptly gave to yours truly
Anyway, the point of this is that its not too tough to use proxies to defraud pay-per-click stuff. You can use it to your benefit to earn yourself some fradulent $. You can use it to your benefit to cost your competitors $ (via pay-per-click adwords). Or you can use it to vote in online polls (Ever wonder how those votes on MTV change drasticaly in the last few minutes? Thank Larry Wall!)
Re:Or vice versa (Score:4, Informative)
As a more common example, take PGP. PGP uses a well known algorithm, but that does not make PGP insecure. Even if you steal a person's private key - you can only compromise their date, other PGP users are safe.
Security through obscurity is when a system is only secure if its workings/algorithms remain secret. For any system that is to be distributed outside of a controlled environment this is a very bad idea, as it's almost guaranteed that someone will crack it.
Extortion is alive and well online... (Score:3, Informative)
There's a few gangs based in Eastern Europe that are using Windows machines infected with viruses/worms to DDoS gambling sites unless $5,000/month in protection money is paid up.
And let's not forget SCO...
TCP Spoofing in a nutshell (Score:3, Informative)
TCP spoofing is quite possible. It's just difficult, and has become progressively more difficult.
Say we have just the idea of a basic handshake (without worrying about the way TCP works for a moment). Host A sends a packet to Host C purporting to come from Host B. Host C sends a packet to Host B saying "you really want to open this connection?". Host A waits a short period of time, then sends another packet to Host C claiming to be from Host B saying "yup, open it". Handshake completed.
Now, in TCP world, there are a couple of complications. First, Host B is supposed to respond back when it gets the "do you want to open this packet" question from Host C with a "Nope, blow away the connection" response. So, just for starters, Host B has to be unresponsive. That means that it might be a good idea for Host C to compromise a bunch of hosts and flood Host B starting sometime before sending that first forged packet to Host A. This bumps Host B's packet loss rate up to, say, 90%. That means that there's an awfully good chance that the "Do you want to connect" message never gets through to B...all C has is the forged response from A, so it considers the response valid and opens the connection.
Then we have sequence numbers. TCP uses sequence numbers to ensure that packets don't get lost or out of order. A's bogus response to C has to have a sequence number based on the number that A included in its "do you want to connect" message to B. The traditional way to get around this was to have C try to open a (non-forged) connection to A. A's response contains a sequence number. C ignores this response, and when A sends out its first packet to B, as long as nobody else has opened any connections in the interim, it uses a starting sequence number that is, say, one greater than the previous starting sequence number. At least, there is some form of correlation that C can use to determine the sequence number being sent to B that will allow it to forge a packet with a valid sequence number.
Most modern machines, to avoid exactly this sort of attack, generate an "unpredictable" number. However, since entropy (I guess you'd call entropy "stored unpredictability" -- data based entirely on unpredictable events from outside the computer's operating environment) comes in at a pretty limited rate in a typical machine, machines tend to just mangle some data in a hard-to-predict manner and use it to derive a starting sequence number for the next connection. Ideally, this sequence number cannot be predicted by host A -- in reality, it's possible that host A might manage to do so, if controlled by someone that's figured out a way to predict the output of the algorithm being used by host C.
If the A and C machines are both on a fast network (a business or university, say), it might even be possible to forge a connection through brute-force guessing of the next sequence number.
So, spoofing a TCP connection is difficult, but feasible. TCP is definitely not considered to be secure as a cryptographer would consider something to be secure.
So it's a good move to avoid using IP-based authentication.