AdWords is now Google Ads. Our new name reflects the full range of advertising options we offer across Search, Display, YouTube, and more. Learn more

Ads
3.8K members online now
3.8K members online now
Understand Google's advertising policies, including ad approval status and account suspension
Guide Me
star_border
Reply

Anatomy of relentless click fraud despite multiple complaints and provision of evidence got no help

[ Edited ]
Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

I must first warm everyone this is extremely technical so would appreciate help from only those that fully understand what I am about to post. I thought long and hard before coming here, I am well aware that providing this kind of detail and revealing methods could potentially help other unscrupulous individuals initiate a particularly devastating kind of click fraud. 

 

I will also state I am fully aware of all methods available to defend my company - these including restricting my ad to very tightly constrained geographic locations, in this case it is my City with bid adjustments by device and individual post codes throughout the city. Completely excluding my competitors location by placing a 1km exclusion radius around their store. I have also spent countless hours combing through logs to see which ips initiate repeated clicks and filtered them out by using IP exclusion. 

 

Unfortunately this has not been enough, with average CPC increased from an average of 1-2 GBP to sometimes over 45GBP,  costs are being artificially increased to ridiculous levels in order for the click fraud to cause maximum harm to my business. I'm sure when someone senior looks into the logs and evidence I provide they will be able to corroborate everything I have detailed here. I have already provided a full months worth of logs to Google and got the standard canned response that everything looks normal, which is laughable given what I am about to show below, 

 

Many of the fraudulent clicks are coming from certain areas, one of these is very close to my premises so I am not able to filter this area out completely, even with a -90% bid adjustment (on this date) my account sustained 18 clicks in the space of a few hour from mostly the same locations.

 

These clicks coincided with my competitor temporarily increasing the bid for this area before initiating the onslaught, because my business is targeted at mobile devices these were the items used in the clicks fraud,  android devices with GPS spoofing software in order for my ads to trigger for the location I am targeting, in this case LS6 postcode within my city.

 

Here is a screen shot from within my adwords account for 16 feb 2017 which is today, its worth noting this has been happening on a massive scale for months 

 evidence1.jpg

 

This is just one day of many with similar clicks, as you can see I got 6 clicks in the same area within the space of only 1 hour.  All from android devices with GPS spoofing enabled to allow my ad to trigger in a location I do not filter, here are the server logs for 16/02/2017

I use the command line program CYGWIN to parse the log file, whoever is doing the investigation at googles end will be able to match my log with Googles own internal log which I assume is much more detailed than anything I am able to determine. For this tiny snapshot I will show clicks from just two Samsung phones in this case Galaxy GT-I9505 Build/LRX22C and GT-I9505 Build/KOT49H) both handsets have been used hundreds of times over the last few months but I will concentrate on today's log. I target Apple repair keywords and the Apple repair keywords were searched for by these two Samsung S4 GTi9505 repeatedly, the same two handsets searched for my keywords after the sim cards being used were swapped over to force a new IP, the IP's are chosen by the network provider from a small pool of IP's allocated by the base station, they are not completely random and are mostly from the same class B/C depending the network of the sim being used.  

 

using the command

cat 2itvy8vo3181fa9f.log | grep GT-I9505 | grep 16/Feb | awk '{print $2 " " $5 " " $17 " " $18}' 


I can filter out everything but these two S4's and this is only including these two handsets so you can only imagine how much i'm being hammered with fake clicks, 

 

 

 

user@DESKTOP-SUUF2MT /cygdrive/c/Users/user/Desktop/logs/newlog
$ cat 2itvy8vo3181fa9f.log | grep GT-I9505 | grep 16/Feb | awk '{print $2 " " $5 " " $17 " " $18}'
31.107.229.221 [16/Feb/2017:11:51:52 GT-I9505 Build/LRX22C)
178.107.7.221 [16/Feb/2017:11:52:14 GT-I9505 Build/KOT49H)
213.205.192.208 [16/Feb/2017:11:52:21 GT-I9505 Build/LRX22C)

 

15th Feb

31.108.140.60 [15/Feb/2017:10:23:26 GT-I9505 Build/KOT49H)

 

02 Feb 

213.205.192.148 [02/Feb/2017:10:24:46 GT-I9505 Build/LRX22C)
188.29.165.170 [02/Feb/2017:10:40:01 GT-I9505/I9505XXUFNB8 Build/KOT49H)
92.40.249.137 [02/Feb/2017:10:24:31 GT-I9505 Build/LRX22C)

92.40.249.27 [02/Feb/2017:10:13:56 GT-I9505 Build/KOT49H)

 

This is just a tiny snap shot these same two phones have been clicking on my ads with different sims for months now, AND THATS JUST these two phones, because this is a phone repair business they have hundreds of phones, but mostly they have been using around 7 or 8 android phones using mostly the same IP ranges due to the our network providers restricting pools of IPS for certain areas. They have sometimes been using iPhones but this is difficult for them as IOS doesn't easily allow GPS spoofing. 

 

I thought I could get around this with IP exclusion, but there is one very serious problem, IP exclusion despite claims to the contrary is very broken when it comes to using CIDR to block certain ranges, you can easily block class D ip block using x.x.x.* but class A and Class B range blocks are broken, I was trying to filter out one of the VPN they were using in italy, and wanted to block the  whole of Italy, clicks were still getting through from that Class A range. 

 

user@DESKTOP-SUUF2MT /cygdrive/c/Users/user/Desktop/logs/newlog


$ cat 2itvy8vo3181fa9f.log | grep 213.205.192 | grep 16/Feb | awk '{ print $2 " " $5 " " $17 " " $18}' | sort | uniq
213.205.192.116 [16/Feb/2017:11:52:01 SM-G361F Build/LMY48B)
213.205.192.117 [16/Feb/2017:10:46:18 OS 10_2_1
213.205.192.153 [16/Feb/2017:09:21:29 OS 10_2_1
213.205.192.187 [16/Feb/2017:11:52:10 SM-G935F Build/MMB29K)
213.205.192.208 [16/Feb/2017:11:52:19 GT-I9505 Build/LRX22C)
213.205.192.210 [16/Feb/2017:11:26:19 OS 10_1_1
213.205.192.234 [16/Feb/2017:12:18:20 OS 10_1_1

 

I have had  this IP class 213.205.192.*  D blocked for ages and the clicks still got through. 

 

I have a mountain of data and evidence showing clearly the same range of IP's/devices is repeatedly clicking on my ads at great cost to me. There is so much more to reveal and it gets pretty complicated so please persevere with me as this really need to get out there. If Google is willing to work with me I even have some ideas to fix this kid of click fraud. 

 

2 Expert replyverified_user

Anatomy of relentless click fraud despite multiple complaints and provision of evidence got no help

Top Contributor
# 2
Top Contributor

Hi Alex,

 

Thinking about this from a Google point of view, how are you aligning the very detailed log entries from those two specific phones visiting your website, with actual ad clicks?

 

AdWords only assigns clicks to an hour, and not any finer than that.

 

So from Google's point of view, how can you show that these are not organic visitors?

 

(I totally with your analysis, BTW, and this is not the first time this has been discussed here)

 

Anatomy of relentless click fraud despite multiple complaints and provision of evidence got no help

Top Contributor
# 3
Top Contributor

I mentioned in another post that Google's fraud squad has the tools to investigate this pattern to recognize the user and correlate the sharp increase in CPC with clicks. But  only Google has the tools to conduct the investigation. So, This should  be filed with Google's click fraud team.

Moshe, AdWords Top Contributor , Twitter | Linkedin | Community Profile | Ad-Globe
Did you find any helpful responses or answers to your query? If yes, please mark it as the ‘Best Answer’