
Service drains competitor's Adwords budget - jusben1369
http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/
======
johnvschmitt
As opposed to how VC's drain competitor's adwords budgets?

Meaning, this is too often how I see competitive bids going over time:

1) You sell a widget for $100, and it costs you $50, so you spend $10 on the
ad, & make $40 margin.

2) Your competition gets in, & has similar price/costs, & bids $11 on the ad.

3) After a few iterations, you both bid $49.50 for the ad, making near zero
(positive) margins & stay in business.

4) But, VC-backed businesses enter that market. The VC (rightly) tells the
startup that they aren't going to make profit in the first year anyway, but
they MUST show user-growth. And, here's the VC money to pay for user growth.

5) So, the VC-backed startup bids the ads up to $100+, far above profitability
for legit bootstrapped or existing profitable companies.

That's how the ad budgets can be drained in the ecosystem.

I know a lot of investors here that don't want to take the blame for this
impact and may downvote me, but I do see this happening for many keywords over
time. I don't need to be popular on this issue.

~~~
opendais
There is a difference between actively and maliciously targeting adwords to
destroy people's money and healthy competition b/t pools of
capital/businesses.

You are engaging in false equivalence.

~~~
johnvschmitt
I'm not saying that the VC-backed company is intentionally or maliciously
poisoning the healthy profit of the competition.

I'm saying that it's an unintentional byproduct of the otherwise naturally
healthy approach to "grow first, profit later". Just like, I'm about to
release a free game in the app market, no IAP, no cost, as I'm generous. But,
that can & does have unintended consequences in the ecosystem to make it
harder for those who do need to profit from their similar work.

~~~
opendais
Fair enough but by bringing it up in a thread about someone with a botnet
screwing people over...its pretty reasonable to conclude that is what you
meant.

~~~
notahacker
Whilst most VCs aren't doing anything anywhere near as patently unethical as
funding a Clickfraud-as-a-Service app, if they're "disrupting" competition
through little more than willingness to make negative profit margins on each
sale, that competition ends up just as screwed if their pockets aren't as
deep. Either if way they're spending money on making you poorer rather than
themselves richer in the short term it's not unreasonable to point fingers.

Admittedly, incumbent monopolists are usually far more cynical in this regard,
but they're also more likely to get slapped by regulators for this kind of
behaviour.

~~~
zo1
As an aside, I'd like to add this bit of information: People get up in arms
when a large "corporation" or "well-established player" in the market throws
their capital weight around to bud out budding investors by selling at a loss.
But, as you can see in this thread, they turnaround and have a completely
different take on the matter when it's a "VC-backed startup" using its newly-
acquired capital to drown out competition while it's slowly losing money.

~~~
spacemanmatt
This is why we need anti-trust law. There are cases where throwing your
capital around is appropriate, and there are cases where it is anti-
competitive.

~~~
zo1
_" There are cases where throwing your capital around is appropriate"_

I'm curious where you think this is the case? Remember, your arbitrary
definition of _appropriate_ might not be the same as others'. I probably won't
go either way, as I think anti-trust laws in general are not appropriate, but
that's a different discussion.

Moreover, may I ask what your moral argument is for such laws? From the looks
of it, most people would say: "If you have a lot of money, then you're not
allowed to use it to your advantage if we perceive it as predatory". With such
vague terms (unless you can make it more explicit), and it will most certainly
end up having a favoritist bureaucracy grow around it.

------
DonPellegrino
This reminds me of a nasty attack I learned about recently. I run
[http://unblock.us.org](http://unblock.us.org), a DNS/anti-censorship server.
Unblock does tunneling for censored websites.

There are scripts out there that scan the whole internet for servers that
accept HTTP and HTTPS requests to proxy. Those scripts are set up to
simultaneously HTTP(S) GET tons of doubleclick.net etc. URLs to get the site
owner kicked off Google Ads. I can imagine the black hat hackers selling their
services for anyone willing to hurt a competitor's income.

Obviously my server detects those attacks and blacklists them right away, but
I was shocked at the ease of carrying that kind of attack. One day I really
need to blog about all the shocking stuff going on online that I learned about
by running a public service.

~~~
sleep-less
How can your server blacklist requests to doubleclick.net?

~~~
DonPellegrino
I don't tunnel HTTP/HTTPS requests to doubleclick.net at all to begin with (I
use a whitelist for HTTP/HTTS), but if someone were to do too many DNS
requests for the same domain in a short period of time I drop those requests
as it means the Source IP I'm seeing is actually the IP of the victim of a DNS
Amplification attack and sending them the response would make me a participant
in that attack.

------
Throwaway823
Slightly different, but I had a user attempt to get my AdSense account banned
by repeatedly clicking ads for days. Sadly, for the advertisers, Google didn't
do a thing. This user racked up close to 10,000 clicks, my earnings
skyrocketed for a day or two, and I contacted Google with clear evidence
pointing to a particular IP address, and explained the situation in-depth with
server logs.

This was submitted through their form to contact them about click fraud, and I
never heard back. Those advertisers paid for thousands of fake clicks, and I
ended up with a decent chunk of change.

I can't understand how they missed it. My clicks are level for years, and then
during a couple of days, they increase 50-100x normal levels. This should have
been a huge red flag.

~~~
rogerdpack
And you actually got paid for those clicks? That is bizarre, I would have
thought that google had some system to automatically detect the "click
fraudsters" and not charge for their clicks...I mean how hard is it to stop
counting clicks after somebody's done it 5 times or so from the same site? But
I guess google is actually _making_ money from those fraudsters [since they
charge the advertisers] so...maybe that's why they don't care as much about
fraud LOL.

~~~
iancarroll
They care about fraud. That is a VERY rare case of an advertiser getting paid
from fraud. I have been banned (intentionally) by their system and it is very
clever at times.

Create a few accounts and see how far you get to $100.

~~~
zapu
How do you "create a few accounts"? I was under impression that once they ban
you, it's over. Same person can't create more than one account. And can't
create another one after a ban.

~~~
iancarroll
I've created at least three with the same name, haha.

------
FatalLogic
Sometimes referred to as 'reverse click fraud'. Here's how it can look from
the point of view of one of the sites that hosts the ads paid for by the
victim: [http://www.dslreports.com/shownews/Adsense-Click-
Fraud-88596](http://www.dslreports.com/shownews/Adsense-Click-Fraud-88596)

The site gets lots of visits from random IPs, all searching for the same odd
phrase, such as 'Female Impotence' in this case.

------
bsaul
People complain a lot about Google here, but some people working in the
business for a while will remember the miva ad network. Boy was that network
ugly. Sometimes during the month you would see a bump of traffic of 100x
magnitude on all customers and of course no conversion at all. We used to say
"looks like miva needs some cash this month".

Google adwords/adsense didn't win by being a monopoly, they won because they
were simply the best. Then they became a monopoly.

~~~
spacemanmatt
This. Exactly. Google enjoys a natural monopoly (or in my view, a non-
monopoly) in search because they continue to earn the most business there, not
because they have eliminated viable alternatives.

~~~
TeMPOraL
Same with webmail. And maps. And other things. They just provide services that
work and are optimized for usability, not for trying to upsell you something.
I believe they deserve that natural monopoly for doing what they are (as long
as they continue this course).

------
chrischen
I'm almost certain my business was targeted by this. I even got an anonymous
email from the competitors threatening me to stop the ads, at the same time
mysterious click traffic drained my adwords budget. Is anyone out there an
expert in this field that could help me investigate?

------
gscott
I setup a system to track every google adwords click by ip address then
created a spreadsheet of the reverse dns and how many clicks to try and get a
refund. It didn't matter how many times one ip address clicks through Google
says that sometimes it might take a lot of clicks from one person because they
are "deciding" if to buy or not. Anyway I sent several of these spreadsheets
to Google and received a refund for a measly $28.00. They say they
automatically do refunds but I get about $10 per $10k in refunds back
automatically. It is not a very large amount.

------
opendais
I do wonder since he is using a gmail account if it is a honeytrap.

That seems like a very, very dumb thing to do if one's objective is to defraud
Google. His entire client list will be accessible through them.

~~~
jusben1369
Does he really defraud Google? They're still getting paid.

~~~
dangrossman
They get paid for another month, or maybe a few, until the advertiser sees
that their ads now cost more than the revenue they bring in, as the
fake/purchased clicks don't ever buy the company's products or services. At
that point logic dictates that they cancel their ads with Google. Google would
have earned that bit of money either way, but now they've lost all the future
revenues from that business.

If you dig into almost any AdWords account and make a custom report that
includes the "invalid clicks" column, you'll see that they already don't
charge advertisers for a very large percentage of ad clicks. I have an
"invalid activity" credit in my billing statement just about every month,
which is an automatic refund for potentially fraudulent clicks that weren't
detected immediately. You don't generally have to ask for the refunds, it's in
their best interest to cancel those clicks and keep advertisers' ROI positive
so they continue paying in future months.

~~~
JustinJBM
This is about Company A removing Company B, C, D, & E from the search results
so that Company A gets all the sales and leads from that day. Company A would
be happy if it scares them away permanently -- then they don't even have to
pay the Hacker to deplete their daily budget anymore.

These particular hackers obviously have a service that Google's Invalid Clicks
detection cannot pick up and it's successfully depleting advertisers' budgets
-- hence the positive reviews they have.

~~~
dangrossman
Right. You can only remove Company B-E's ads by depleting their daily budgets.
The service Company A paid for does not include purchasing Company B-E's
products or services, just knocking out their ads. Those advertisers will see
a negative ROI from their Google ads and eventually cancel them. Now Google
has lost four customers and the one that remains no longer has to compete for
ad space. Google loses all of Company B-E's ad spend, and most of Company A's
ad spend as it can drastically lower its bids. They are not "still being
paid", which is why they are heavily incentivized to identify this fraud and
ignore or refund for the clicks that company is generating.

------
eli
I suspect I was a victim of a version of this fraud years ago. Lots of
suspicious clicks off of strange queries or weird AdSense blogs (the latter
might have been the more straightforward AdSense fraud) and the visitors
rarely engaged with more than one page.

Google insisted that if there are any fraudulent clicks, they are detected
automatically and we are not be charged for them. But it was essentially
impossible to know if that's true. I guess it doesn't really matter: at the
end of the day you tally up your metrics and AdWords is either worth it or
not. Still a very frustrating experience.

------
wyck
There are services out there that supposedly monitor Google ad click fraud,
does anyone have experience with them?

------
PaulHoule
I was looking for this tool called XRumer but I can't remember the link...

------
at-fates-hands
I remember seeing a lot of scripts that did the same thing back in the early
2000's. Back then people were hijacking servers and then using proxies to hide
their IP addresses. Back then, you could either use it to increase your own ad
revenue, or have them click on your competitors ads so yours would show
sooner.

Either way, this is why I tend to advise my clients to stay away from any paid
advertising on the internet. It's a total sham. Either you get lucky and get
some traffic with zero conversions, or your budget is wasted by someone using
fraud.

