Get exclusive CAP network offers from top brands

View CAP Offers

Google Adwords and PPC fraud revealed

Professor asked 3 years ago
Your probably reading this article because you use Google Adwords to bring traffic
to your website, or your a click fraudster yourself, wanting to see what kind of
information I have for you. Most of you click fraudsters will think that I have
no idea what I am talking about, and that I do not know your methods. Well, trust

If you are new to the click fraud scene, here is an example:

1. Scumbag puts Google Adsense ads on his website.

2. The scumbag then proceeds to cheat Google Adsense by creating false clickthroughs
and impressions, in return earning him a pretty nice profit, because he isn’t even
working on his website, just generating false traffic.

All of you people that run campaigns through Google Adwords are thinking, “This
guy has no idea what he is talking about, Google has everything under control and
they even state so publicly!”

WOW! What kind of pay per click company would admit that they DO NOT have click
fraud under control? I wonder what would happen to their business immediately following
that statement.

Estimates say that nearly 20% of all clicks for Adsense are illegitimate. In my
honest opinion I believe this number to be around 30-35% from some of the things
I have seen.

Alrite, now the big question, how are they doing it?

There are a number of ways that people are cheating, including the ‘click groups’
from India that click on your ads for you and create big pay checks as long as you
pay them their $0.50 an hour so they can buy bread for their family.

But I’m going to show you the technical way that Google Adsense is cheated, not
poor people clicking ads. I’m talking about extremely smart programmers that create
hitbots to cheat Adsense. And, NO, I’m not talking about that piece of garbage ‘CACA’
or Clicking Agent that you find on Google. I am talking about PRIVATE programs and
scripts that are only used by private groups.

How do these scripts get away undetected you ask?

Simple, let’s actually take a look at Google’s click fraud protection (This is what
I have summed up, I seriously don’t believe they have anything other protection
because people are still cheating using these methods as you read this article.)

If you actually take a look at Google’s Adsense code when it is on your webpage
you will find the URL that is used to retrieve ads. (Right-Clck your ad Iframe and
click ‘View Page Information’ or something similar.)

Here is an example of the URL that you will find:

Now let’s decode this up a little bit, shall we?

client=ca-pub-2521202633232871 – Your client code, this tells Google who to
assign the click-through money to.

dt=1124847235453 – Javascript, if you use the command google_date = new
Date(); document.write(google_date.getTime()) — Which generates 1124847235453.

This shows you the number of milliseconds since midnite January 1, 1970. This is
what seems to be Google’s biggest automated proxy clicker fraud prevention. Doesn’t
seem too hard to generate with 2 lines of code now does it?

lmt=1124631699 – The last time your webpage was updated. LMT stands for Last
Modified Time, pretty easy Javascript to generate this one too – document.write(document.lastModified);
— Which generates 1124631699.

(Notice I’m skipping a bunch, that’s because they are just showing the type of ad,
colors, and size that you are using.)

cc=59 – Seems to be some random number based on the screen width, height, and
color scheme. I’ve seen this number go from 20 all the way up to 400. I’m sure they
don’t use this to reliably track click fraud.

u_h=768 – Height of your screen settings.

u_w=1024 – Width of your screen settings.

u_ah=738 – Your available screen height.

u_aw=1024 – Your available screen width.

u_cd=32 – Color scheme on windows, e.g. 32-bit.

u_tz=-240 – Your monitor refresh rate or something else that isn’t important,
I’ve never seen it not -240.

u_java=true – Just seeing if you have java enabled.

There are some other variables that are sometimes in the URL such as ‘u_his=’
this means how many pages you have visited since you started up your browser. There’s
also some MIME type checks and how many plugins you have installed, but these variables
come up very rarely. I think they are only meant for Netscape/Firefox browsers.

Now that we have ‘decoded’ the supposed unbeatable Google Adsense code, what do
you think about click fraud? You still think it is rare?

After randomizing all the data and sending an automated query to their Adsense URL,
all the scumbag has to do is parse out all of Google’s click URL’s and click one
of them, giving him a click through. This can all be easily faked with even a Visual
Basic program. A newbie programmer could in-fact cheat Google Adsense without much

Alrite you say, they beat the javascript code detection but doesn’t Google use cookies
so they can’t do this?

No, Google does not use cookies for Adsense.

Well what about IP-tracking? Someone can’t have that many proxies!

There are click groups that leave these programs running on their computer. They
each randomly click each other’s URL’s automatically. The person running the program
doesn’t even have to do anything, but he is still contributing to the success of
their group and himself.

Does that sound too far-fetched? I am telling you that there are click groups that
do this now and have been since the old Linkshare PPC days in 1999. Yes, if you
were an advertiser on Linkshare back around 1999-2002, you got RAPED.

And that isn’t all. I have read on the internet that there is currently over 100,000
people infected in the United States alone with trojan proxy servers. These proxy
servers run on random ports so that Google can’t just do a simple port 8080 or 80
check on it to see if it’s a proxy. The majority of these proxy servers are used
for credit card fraud, but a lot of them are also used to cheat Google Adsense and
other pay per click programs. These proxies are at-home users that look like normal
dial-up, cable, and dsl users from all across the world, but mainly United States.
There is NO WAY to prove that they are a proxy.

Random User-Agent strings is another tactic that is often used by click fraudsters.
This makes Google think that a lot of different browsers are clicking the links,
just keeping them further from finding out the truth.

On a side note, you may be thinking that the new Yahoo! pay per click program may
be the way to go. I checked into their protection and guess what? They are only
using ONE of Google’s protections and that is the Javascript GetTime. They are still
in Beta though and this may change, but who knows?

To the cheaters: The benefits of cheating are short. Eventually you will be caught
for what you are doing and maybe even sued by Google. There is a ton of money to
be made legally with Adsense and I suggest that you stop cheating. Who am I to tell
you to stop? I use to be one of you! Back when I was 13-14 I was making programs
like the ones you guys are using now. You guys probably used one of my programs
at one time. I am happy to say that those days of mine are all in the past now,
and I am making a good amount of money LEGALLY with Adsense and other affiliate
programs. Work hard guys and you will reap the benefits 100 times what you make

To the advertisers: You people that use Google Adwords now see that it is actually
not very hard to cheat you out of your money, so be careful and MAKE SURE that you
use a click fraud protection script such as ClickDefense. To lower most of your
click fraud, just don’t put your ads in the Content Network, only stay on Google’s
sponsored search results. Only Google gets paid when someone clicks the search results
sponsored ads and nobody wants to cheat to make Google anymore money do they? Check
the stock, it’s currently at 279.58 a share.

To summarize my article I just want to state that no one should use this information
for cheating Adsense and I am not responsible for your actions if you choose to
do so. You will be caught because Google will evolve and get smarter, eventually.

Joseph Tierney is the owner of Auction
Fraud Protection A user-generated database
of auction fraudsters. He is 2005 high school graduate and is currently studying
for a computer science degree in college.

5 Answers
Dominique answered 3 years ago
This is a very interesting article.

Is it me or is this whole business just full of untrustworthy situations anymore, regardless of what component you look at?

Anonymous answered 3 years ago

Is it me or is this whole business just full of untrustworthy situations anymore, regardless of what component you look at?

different day, same shit.

when wasn’t it full of fraud and the like?

its just gotten more technical is all. and I imagine that just like the net has grown in users, so will the cheats grow proportionately.

that said, a great article Prof. thank you much!

TheGooner answered 3 years ago
Wow … something has you riled professor !!
But … thanks for the illuminating article on this PPC stuff.

Some views from an experienced sports webmaster / surfer …

I run two sites (shown below) … the first GoonersGuide.Com is my love .. it’s sports betting run as a co-operative and is very successful in what it achieves. Sports Betting. It’s been online for 5 years – it popular and gets around 1,000,000 pages viewed a month.

The second GamblingInfoSource.Com is new … and trying to monetise the Casino / Poker trend … which is what brought me to CAP in the first place.
It’s been online for a couple of weeks.

I’ve never advertised on any PPC system … I’ve been amazed at the potential costs involved … but then MY traffic is not that valuable on a user or visit basis.

I’ve seen the ads of course on many sites, and on google searches … and I’ve clicked on a fair few of them too … but I could count on one hand the number of times that it has resulted in a purchase.

I’d suggest my buy rate would be about 1 or 2 from maybe 500 – 600 clicks ?
Because of this I’ve never considered putting the adverts on my site.

While I understand your frustration with PPC fraud it seems to me that there must be a significant amount of revenue involved – and so it does not surprise me that people from less developed countries would try to extract the cash. As a traveller I’m sure you’ve seen the disparate wealth.

Some of it will be human fraud … and the code you’ve uncovered seems to be a technical fraud … this can’t be avoided without geographic restrictions … no matter how good the validation.

However, I wonder how much of the failure of PPC clicks to deliver is also because the system (or target site) is not set up for global traffic ?

My site writes about European football. We get people from around 120 different countries each day … and I’d suggest that a fair proportion only have English as a second language.

This is based on stats, posts on the forum, and many of the cryptic emails that I receive from visitors where I cannot work out the language let alone what they want.

What have I done to my site to change this?
– I’ve tried to use simplier language.
– I’ve tried to use sections to highlight final picks and good bets.
– I’ve tried to make my affiliate links just a click away.
– I’ve avoided jargon – so translations might work better.

In summary I’ve tried to make it easier for people with English as a second language to use the side.

As a New Zealander, I’m amazed at the number of sites that are based in America that expect US only customers. This is shown on the forms to fill in, the language used and the offerings available.

I’d be prepared to wager that with the vast number of asians and europeans online, that the percentage of surfers that are American would be between 5-8% of total surfers.

Would you agree?

I think that PPC in cash rich segments like gambling will always be frought with hazards of poor returns.

Some of it will be fraud .. but some of it will be because we (as webmasters) are not doing enough to understand our audience correctly.

Be lucky ..

Kevin11 answered 3 years ago
I can sympathize with all those who have wasted money on PPC only to be defrauded.

However, Google is going way too far in eliminating things. One of my high traffic (non-gambling) sites just got canned from adsense for alleged click fraud and that’s a bunch of crap. The CT rations are super low, I havent cashed out earnings since I placed the adsense on the sight, and they don’t even have the courtesy to respond to my inquiries.

Guess it was only a matter of time before the crooks wrecked things for even legit sites like mine. Maybe one day some company will get this PPC thing right and make everyone happy.

CrapsRus answered 3 years ago
Very good Lou!
Thank you