Black-Hat PPC: Stealing Trademark Traffic

SMS Text
Black-Hat PPC: Stealing Trademark Traffic

Want to learn how to steal your competitor’s high-quality brand traffic and redirect it to your site using Google Adwords?  “Against their terms,” you say?  Rubbish!  I’ll show you how a black hatter did just that to a client of mine costing them hundreds of thousands of dollars in lost traffic!

Recently, a client ran into an issue with their Google Adwords campaigns.  Their brand-targeted campaigns began to produce fewer and fewer conversions, while their CPA (cost-per-action) started climbing rapidly.  It wasn’t long before they were paying twice as much per conversion and getting half as many per day.  A quick bit of investigation revealed that we were only getting a small share of the available queries for our well-known brand and domain name.

An inspection of Google’s results revealed nothing.  There was my client’s ad, where it should be with no other ads present.  Obviously whoever was siphoning off traffic was being very deceptive about it.  My initial thought was that they were day-parting their traffic and only showing their ad during early morning hours, but after a few sleepless nights i confirmed this wasn’t the problem.

My next step was to use a proxy that was located in a different state to check the Google results.  An ad which appeared to belong to my client showed up, with the same title & description and showing my client’s website.  Clicking the ad caused a competitor’s site to come up instead of my client’s site, a clear violation of Google’s terms since the URL of the final destination, after the redirect, did not match the ad’s display URL.

I went back to Google to see if the ad showed up for my client’s domain as well as their brand name.  It did.  I clicked it again, but this time I got redirected to my client’s site instead of the competitor.  I went back to the original trademark term i had searched and clicked the ad again. Again I was redirected to my client’s site.

“Well that’s weird,” I thought.

I copied and pasted the destination url and found something that looked like this:

http://www.google.com/aclk?sa=L&ai=CAsqXJqLITbLjK8iagQfkqe2DCuD_lZ4CiG7G1yyV3J4xCAAQAVCGvph1YMnWrIfco 8QQyAEBqQJWZt7pooqYPqoEHk_QE2yD9UlXdHsS-zdkm2-4VemNnXiQxxZQ38nPw&sig=AGiWqtwAJ2evlzQJvjiJDaoysxKsaXy3Xw&ved=0CAgQ0Qw&adurl=http://someredirectdomainwithalotofcha racterssothatitlookslikeparametersintheurlinsteadofaredirectdomain.eu/track/61/

Google prefaces your ad’s destination URL with a bunch of encrypted encrypted information so they can measure clickthroughs and other information.  In order to see the actual URL, you have to isolate whatever is after “adurl=”

http://someredirectdomainwithalotofcharacterssothatitlookslikeparametersinthe urlinsteadofaredirectdomain.eu/track/61/

This was the actual destination URL of the ad.  I did a fruitless WHOIS search of the domain which turned up nothing because the domain had privacy protection enabled.

So then I thought, they are using my client’s registered trademark so I’ll file a trademark infringement complaint with Google.  Surely, this will do the trick!  Since they had copied my client’s ad copy verbatim, it should be a fairly easy process to get ad removed.  However I made the mistake of not reading the form thoroughly and check both the box that says I’m complaining about the keywords they are bidding on and about their ad copy.  After three weeks of waiting for a response, my complaint was denied.  Turns out that in the US, you cannot complain about others bidding on your trademark terms.  If you check that box, they just deny it even if your complaint about the ad copy is legitimate.

So my next step was to notify the policy team, through my Adwords rep, that this advertiser was violating Google’s terms by redirecting to a competitor instead of the display URL.  To my dismay I received a response that the final landing page they kept seeing was my client’s site instead of the competitor’s site.  I was at a dead end.

I decided to dig deeper and see exactly what this shady advertiser was doing.  What I discovered was a black hatter’s dream.  This guy had built a PHP redirect script which redirected users to his link on the first click, and to my client’s site every other click after that.  It worked by storing the IP address of the incoming request and would reset every 24 hours.  This made it very difficult to detect.  Even though you may see the competitor’s site on the first click, every other click after that took you to my client’s site making it appear as everything was fine.

What was brilliant about this, is that the first click is by far the most valuable one.  Most people will only click an ad once and either buy something or not.  The second time they click they are half as likely to convert as the first time.  If they click three or more times within the same day, the system is likely to flag their activity as click fraud so theoretically you would be refunded for it anyway.

In addition, you can make the script’s activity harder to detect if you grab a list of googlebot IP’s so that Adwords is never able to automatically disable your ads due to the destination not matching the display URL of the ad.  Another nifty trick this black hatter was doing was to use IP-based geolocation to always show my client their site rather than the competitor’s, making it even harder to detect.

In the end, I ended up having to recreate the issue and record it on video in order to prove to Google’s compliance department that there was a problem.  Even with that, it took them three months to finally get around to shutting this black hatter’s ads off.  Overall, the competitor’s ads ran for 6 months and cost my client hundreds of thousands of dollars.

So why would someone like myself write a story about this?  Aren’t I opening the door to a militia of black hatters that could copy this technique and replicate it?  Yes, but not because I condone this behavior.  The bottom line is that this is happening right now by a handful of black hatters that were sneaky enough to figure this out.  By bringing this to light, I am hoping that Google invests some time into figuring out how to permanently put an end to this glaring issue.  If this were done to an overly  bureaucratic non-technical fortune 500 company, it may take years for anyone to detect it and cost that company millions in lost sales.

Subscribe to SEJ!
Get our weekly newsletter from SEJ's Founder Loren Baker about the latest news in the industry!