Is Google AdWords Country Display Hack Really A Security Flaw?

[arthur2000]

Sofizar Inc, a company specializing in Click Fraud Detection Services announced today that it has identified a vulnerability in Google’s Pay Per Click (PPC) location based advertisements. The Google location based service is meant to display Pay Per Click (PPC) advertisements only in the advertiser designated locations. However, a back door allows a malicious user or automated programs in a non designated area to click on the advertisement, potentially causing grievous losses. Furthermore, Google charges the advertisers for these clicks, even though Google does not record the advertisement impression. This vulnerability has been reported to Google.

The location based Google service is designed to display targeted advertisements to users from a certain region. For example, a ticket broker ( http://www.ticketnest.com/theater-ti...wicked-tickets ) who needs to sell wicked tickets in New York City does not want her advertisement to be displayed in New Delhi. The pay per click advertisements to a non target audience can be extremely costly, and AdWords PPC advertisers use Google’s facilities to designate countries (and in some cases cities) where their advertisements can be displayed. However, this vulnerability allows a hacker in Beijing to see and click on advertisements meant for a Las Vegas audience. Some advertisers pay up to $35 every time a user clicks on their advertisement, and a hacker can run up the tab for such advertisers quite fast. Sofizar’s internal testing shows that Google not only charges for these clicks, but due to a software glitch in Google’s reporting interface, does not record the impression.

“PPC advertisement has become very popular due to their instant traffic results, and control over the composition of the traffic” said Ron Arthur, Program Manager of Sofizar managed service. “Given that there is about $7 Billion at stake with Google PPC advertising in 2006, malicious hackers are always on the look out to get a piece of the pie. An advertiser may feel secure in the knowledge that his advertisements are being displayed only in the US, while his advertisements may be getting unwanted clicks (and a massive bill) from a hacker in East Europe.”

“There is essentially an arms race between the click fraudsters and us,” said Zafar Khan, CEO of Sofizar. “We see ever insidious tactics by hackers to deplete the budget of advertisers, and unless the advertiser is really keeping close tabs on their PPC advertising they are a prime target for fraud. The location based vulnerability allows hackers to fly under the radar, and hit unsuspecting advertisers. We have reported this flaw to Google and we are confident that they will fix the glitch in their software. Our previous experience in dealing with Google customer support regarding glitches has been outstanding.”

Testing methodology used:

The vulnerability was tested on Sofizar’s test account ( http://www.ticketluck.com) where a US targeted AdWords campaign for a keyword with no searches was selected. Sofizar’s testers in their test center in Pakistan then used the back door to display and click their test advertisement (http://www.google.com/search?sourcei...ickets&g l=us) that was only supposed to show in the US. When the account was checked, Google had charged Ticket Luck campaign for the click, even though it did not report the impression.

Sofizar uses its traffic analysis and pattern matching software to detect fraudulent PPC clicks. This software is adaptive, and stores patterns for certain websites as well as deviations from recognized patterns. Sofizar manually audits the accounts which are flagged by this software as possible frauds and then works with search engines to obtain refunds and credits against future advertising spending. Sofizar proactively looks for vulnerabilities in Overture and Google, in order to better protect its clients.
This press release is available online at http://www.sofizar.com/press-release-google.php

[dannysullivan]

If you work for or are associated with Sofizar, please make that clear (an apologies if you are not). Doesn't necessarily mean what you are posting isn't relevant, but it's helpful to the other forum members to understand any relationships.

I don't know that I'd call mistargeting of local ads as a "security" flaw and "fraudulant" but rather bad targeting.

More to the point, let's be clear about this "back door." The ad was triggered by adding this:

gl=us

to the end of the URLs string, which forces Google to show US ads to those outside the US. It is a hack used primarily by those advertising outside the US and wanting to see what their ads look like to those in the US. Relatively few advertisers know of the hack. Fair to say, an extremely tiny number of "regular" searchers know of it. Anyone getting ads this way had to jump through some serious hoops to get them. The number of advertisers impacted this way is tiny.

Indeed, the "testing methodoloyg" Sofizar used was to run an ad, then use the country-specific ad targeting parameter (that gl= thing above) to get the ad, then they clicked on their own ad to show they were billed $0.05. This is the extent of the problem?

The solution is easy. Remove the hack. Of course, since a number of advertisers depend on that and have not been shown to date to be abusing it, it's not a "solution" I'd be pushing for.

FYI, http://www.iana.org/cctld/cctld-whois.htm is a list of the two digit country codes you can insert after gl= to get ads for any particular country. For a more detailed look at how this operates, see Google Gets Local With AdWords which is available to Search Engine Watch members.

[arthur2000]

Dear Danny,

Thanks for your detailed response. You are indeed correct that the problem is in “gl=us”, which allows non US advertisers to see their ad’s running in US. Google’s response(snipped for brevity) to us is as follows:

A user in Pakistan could also see your ad targeted to the United States and Canada by searching on the Google United States or Canada domains (google.com or google.ca.) So if a user searches on google.ca, our system reads the user as being located in Canada, and thus will show the user ads targeted to Canada.

However, imo, that is _not_ the “extent of the problem”. How about the following?
1> The ad’s that were targeted for US, should not have resulted in a bill to the advertiser. Whether it’s $.05 or $95 is completely irrelevant. Would it have made a difference if our testers from Pakistan had done a search for “mesothelioma” and cost’ed some poor lawyer $100? That lawyer from Boston, (say) is banking on the fact that her clicks are from New England due to her regional targeting. Paying that kind of money for a click _only_ makes sense if the clients are qualified. Therefore I am proposing that Google should filter out any clicks from “unauthorized” regions before billing. This is not (or should not be difficult).
2> If you actually went to the Sofizar website and looked at the table, you will see that Google recorded a click(and charged that $.05), but more importantly did not record the impression. That is _definitely_ a bug, by almost _any_ definition. That is equivalent to saying that no one saw the ad(no impression), but someone clicked on it(one impression). Why is this bug “relevant”? Because it makes the click auditing that much more difficult.
Unless you are _really_ watching what is going on and auditing each IP with cookies information, browser specific information(and a whole bunch of things we look at), it’s a bear to track down such issues. Almost no one is looking out for 0 impression, 1 click situation. I leave it an exercise to the reader to verify if 10 clicks and 0 impressions also happens. Naturally, I strongly discourage the reader from clicking on anyone else’s ad’s other than their own. That is also the only way for them to verify what happens to the Google reports regarding clicks and statistics.
To answer your “statistical”/”anecdotal” argument, that only a few “regular searchers” know about this hack, I beg to differ on philosophical grounds*. The regular searchers from Uganda are not out to defraud a restaurant in Tokyo. It’s the “irregular” searchers I worry about, who are likely to exploit such holes and potential losses that are quite hard to track down. My experience shows that there is a sufficient number of “irregular” searchers ready to cause havoc(for kicks/profit/revenge). It is in Google’s best interest to improve it’s filters(so that it checks geolocation before billing and not rely on it’s region codes). Further, Google needs to address it’s
0 impression, 1 click” problem.
Another way to look at it is that if I am an advertiser for AdWords, I sign a contract with Google that my ad’s will only get displayed in a certain region/location. I don’t particularly care if someone from another region is able to look at that advertisement using some back door hack. However, I _very_ much care if that person in the other region clicks on the advertisement and as a result costs me money. I didn’t sign up for that, and it is a violation of my contract with Google. Google must take all reasonable precautions that this scenario does not harm it’s Adwords advertisers.
I do apologize for not writing my full name and affiliation. It was certainly inadvertent and I fully agree with you, regarding transparency in forums. No one likes a shill or a troll!
Warm Regards,
-Ron Arthur ( feel free to write to me directly at art@sofizar.com)
Program Manager, Sofizar


*: Even if I were to ignore the lack of empirical evidence backing your statement

[dannysullivan]

Quote:

The ad’s that were targeted for US, should not have resulted in a bill to the advertiser. Whether it’s $.05 or $95 is completely irrelevant.

Sure, the amount is irrelevant with one exception. You've suggested this is a major problem, yet you've demonstrated little except to show that you've concocted a way to see your own ad and get yourself billed for $0.05 cents. In contrast, if you'd shown a variety of different people in Pakistan were being billed for improperly targeted local ads, it would carry more weight.

More important, the way you managed to get those ads to show up for you is not going to be done by about 99.9 of Google's regular users, I'd guess. Only savvy people who are deeply interested in ads are going to do it. The chances they're having a major impact is minimal. I suppose one fix is that Google might not bill for any ads if it spots the gl= parameter being used.

When Google told you this:

Quote:

A user in Pakistan could also see your ad targeted to the United States and Canada by searching on the Google United States or Canada domains (google.com or google.ca.) So if a user searches on google.ca, our system reads the user as being located in Canada, and thus will show the user ads targeted to Canada

That's alarming to me because it is, to my understanding, partially wrong.

For example, I'm in the UK. If I got to Google.com and search, I get UK targeted ads, as they detect I'm in the UK.

Now if I go to Google Canada, the seem to decide that despite my IP address, I must have a real interest in Canada and so show me Canadian targeted ads.

If you targeted your ads only to those in Pakistan, they really honestly shouldn't be showing up on Google US or Google Canada if you go to either of those sites, unless you manually force the ad to appear in the way you did.

Quote:

If you actually went to the Sofizar website and looked at the table, you will see that Google recorded a click(and charged that $.05), but more importantly did not record the impression. That is _definitely_ a bug, by almost _any_ definition. That is equivalent to saying that no one saw the ad(no impression), but someone clicked on it(one impression). Why is this bug “relevant”? Because it makes the click auditing that much more difficult.

I did go to the site, agree that seems a bug, and if I missed it, it's because that wasn't the focus of your release. You focused on a little known feature and turned it into "back door" in the "arms race" of clickfraud, which it really hasn't been seen as until now. In contrast, if you'd done a release about how Google is reporting you are getting more clicks that impressions, that would be far more interesting.

Quote:

I leave it an exercise to the reader to verify if 10 clicks and 0 impressions also happens.

Why leave it to the reader. If you really want to make a mark in publishing click fraud research, study this issue. You've highlighted something that makes people wonder. You can leave it at that or pursue it more.

Quote:

It’s the “irregular” searchers I worry about, who are likely to exploit such holes and potential losses that are quite hard to track down. My experience shows that there is a sufficient number of “irregular” searchers ready to cause havoc(for kicks/profit/revenge). It is in Google’s best interest to improve it’s filters(so that it checks geolocation before billing and not rely on it’s region codes).

Sure, but I guess I'm saying it seems like the clickfraudsters outside the US seems to have no problem clicking on AdSense units or using other means of hitting ads without having to rely on the geolocation parameter. But as I said, Google could change things so that if that parameter is used, no billing happens. I suspect it's a tiny, tiny issue in the fraud scheme overall, but I'm sure they could do it.

Quote:

However, I _very_ much care if that person in the other region clicks on the advertisement and as a result costs me money. I didn’t sign up for that, and it is a violation of my contract with Google. Google must take all reasonable precautions that this scenario does not harm it’s Adwords advertisers.

Well, I can counter that in one way. I'm over here in the UK, but I'm an American expat. The only way I can see ads targeted to those in the US -- which I am very much interested in as a consumer -- is if I use this hack. I've done so on a couple of occasions. If I were to click on your ad, there's a very good chance I fit your targeted audience.

Overall, I agree with you people who target ads want them actually delivered as targeted. It's just that this parameter seems a tiny issue in the overall scheme of things. I'd rather see Google spend more time on promptly, effectively and positively reviewing click fraud reports advertisers send them.

[Mikkel deMib Svendsen]

I brought up this isues almost 2 years ago, however, with a different twist, when I first saw it. The problem is actually bigger that initially described here.

First of all, I don't think advertisers in general believe that their ads will be shown to users outside of the region they chose. But they do in fact. That in itself is a problem of "fraudulent" nature to me. If you take my money to place an add in front of people in the region of US you should not serve it up to people in Denmark. But thats what Google does!

When I first saw it I was working on a large US health care client. Off course, this client did not want clicks from outside the US as its the only place they provide the service.

I was working on the ads, and I new about the gl= code, so I could actually see them, but then one day I did not add the gl=us code when I searched Google.com and there they where - the US targeted ads that I just set up!

So, I contacted Google to find out what was wrong. First thing they did was check my IP and the result they came back with was that they could not identify the region. This leaves me with two problems:

1) I am using the biggest ISP in Denmark having a marketshare of way over 50% - so are Google telling me that they don't know where over 50% of the online Danish population is located? I doubt that - all other IP targeting software and IP lists can figure it out.

2) Google made it clear that because they do NOT know where my IP is from they just serve US ads anyway. Well, thats not exactly what my client signed up for and I could not find anywhere on the AdWords site where they speciafically say this: We serve your add to the selected region - or anyone we don't know where is coming from.

I never got the issue resolved!

[dannysullivan]

Yep, that's a great example of something to fix. I used to use AOL. When logged in through AOL dial up -- even when in the UK, Google would think I was in Virginia. It might be that for locally targeted ads, they they really don't know with certainty the location, they shouldn't show the ad.

[Mikkel deMib Svendsen]

I don't think my, and your, example shows a bug to be fixed - it's a deliberate decission made by Google on how to handle unknown users. A decision I do not agree with and that they have not done anything to actually communicate to their advertisers. Thats is why I think it has a "fraudulent" nature.

If Google really think this is the correct way to handle unknown users why not say that to advertisers? Am I wrong when I believe most advertisers do not know this? When did Google go on stage at a conference and explain, and defend, this decission? I haven't seen it ...

[arthur2000]

Sofizar received an official response from a Google representative regarding the two issues highlighted in the press release. They have clarified their position regarding “location based targeting” and have acknowledged the problem regarding Clicks without impressions. Google has also refunded the PPC charges for testing the bug.

For more details on the current update please visit Sofizar Press Release on Google Adwords

[dannysullivan]

So let's take the two responses from the release, so we can discuss them more:

Quote:

Although Internet Protocol(IP) addresses are one method we use to determine where a user is located, a location-specific query can trump the IP address. For example, if a user in California will be traveling to New York, they may search 'New York hotels' on Google. Although an ad which appears may be targeted to only New York, it is relevant to, and showing to, an interested user. At this time, we are unable to fully prevent clicks outside of a targeted region. However, I've forwarded on your feedback to the rest of our team. We appreciate hearing from our advertisers and are always interested in making improvements to the program to maintain a high quality of service for our advertisers.

I don't have a problem with this. I seem to recall them making this type of switch quietly about two years ago. It came up in a meeting I had with them, and I was very surprised they hadn't made a bigger deal about it.

Way back when I first wrote about location targeting, I said this was something they should do -- and for exactly this type of example. If I'm in London and need a hotel for my next trip to San Francisco, it makes sense that I'd type in "san francisco hotels." The original location targeting was a paid because I'd have to do two different things -- target all the local terms for a "regular" search plus also do the geographic targeting.

Quote:

CLICKS WITHOUT IMPRESSIONS I've confirmed that the keyword 'Minimalist Jukebox: Reich Tickets' received 1 click and 0 impressions, and that you've been charged US$0.05 for this click. I had our team review this issue and they determined that the click should not count to your costs. I understand you're unconcerned about the US$0.05 charge, but would like to let you know that I'd be happy to credit your account in this amount if you wish.

Pity they didn't explain more about how this happened.

[arthur2000]

So let's take the two responses from the release, so we can discuss them more:

Quote:

Although Internet Protocol(IP) addresses are one method we use to determine where a user is located, a location-specific query can trump the IP address. For example, if a user in California will be traveling to New York, they may search 'New York hotels' on Google. Although an ad which appears may be targeted to only New York, it is relevant to, and showing to, an interested user. At this time, we are unable to fully prevent clicks outside of a targeted region. However, I've forwarded on your feedback to the rest of our team. We appreciate hearing from our advertisers and are always interested in making improvements to the program to maintain a high quality of service for our advertisers.

Quote:

I don't have a problem with this. I seem to recall them making this type of switch quietly about two years ago. It came up in a meeting I had with them, and I was very surprised they hadn't made a bigger deal about it. Way back when I first wrote about location targeting, I said this was something they should do -- and for exactly this type of example. If I'm in London and need a hotel for my next trip to San Francisco, it makes sense that I'd type in "san francisco hotels." The original location targeting was a paid because I'd have to do two different things -- target all the local terms for a "regular" search plus also do the geographic targeting.

There are a few ways to look at it. While what you and Google contend about the utility of “gl=” string is valid, I maintain that it adds to the arsenal of fraudsters. A click farm in India, the kind mentioned in Times Of India article now has a way to click on advertisements that it otherwise couldn’t have. Click Fraud is not a monolithic monster. Instead it’s a hydra, and each backdoor(or if I may be permitted, “vulnerability”) is a steroid for it to grow it’s head. In many ways, I don’t understand Google’s strategy. As you contend, only a small percentage of internet “regular searchers” know about it. Is the “gl=” hack a way for digerati in London to book hotel in San Fransisco, while the plaebian riff raff have never heard of it? If it is not a back door why doesn’t the rest of the world know about it. To give you an exaggerated example, why isn’t there a big red button on Google’s search bar: “Use me if you want local information about San Fransisco while you are in London”. Maybe, we just have to agree to disagree about this “location-specific query trumps IP address” business.

However, to me what is much more important is that the advertiser should be _aware_ of this gl=?? Parameter. I can bet more than a few advertisers get lulled into a false sense of security when they go location specific with their advertisements.

I strongly agree with your “I was very surprised they hadn't made a bigger deal about it”. It is a step in the right direction, that Google has specified it’s policy.

Quote:

CLICKS WITHOUT IMPRESSIONS I've confirmed that the keyword 'Minimalist Jukebox: Reich Tickets' received 1 click and 0 impressions, and that you've been charged US$0.05 for this click. I had our team review this issue and they determined that the click should not count to your costs. I understand you're unconcerned about the US$0.05 charge, but would like to let you know that I'd be happy to credit your account in this amount if you wish.

Quote:

Pity they didn't explain more about how this happened.

Arghh! Danny, we are all software engineers. Do we really want to dwell over our booboo’s? ;-)


By the way, you didn’t discuss the part in our release that they stopped charging us for clicks that were made through gl= parameter. We were clicking our US ad’s from our test center in Pakistan with impunity using gl=? Parameter without getting charged. It is inconsistent with Google’s response regarding the matter where we were supposed to get charged. Furthermore, they seem to have fixed the “clicks without impressions” bug, so we were seeing the impressions(and no clicks).