Hacking Google AdWords
by StankDawg
Like many others, I have been a huge fan of Google over the past few years.
I have spoken very highly of it on my weekly radio show Binary Revolution Radio discussing hacking techniques, interpreting finds, discussing new features, and lots of other things Google-related.
Unfortunately, over the years, I have started to find that I was beginning to question some of Google's practices. Whether it was the toolbar, the mysterious "PageRank" system, their spidering engine, Gmail privacy concerns, their purchase of the USENET archives, or any number of other features, I was starting to think that maybe they are not quite as wholesome as they first appeared.
I liked the fact that they were making advances and pushing the envelope in terms of search engine results. I did not necessarily have a problem with the individual features themselves, but I began to question the way that they went about the features and their relationships with each other. Putting ads in the Gmail accounts? Not such a big thing, except that Google allegedly tracks every IP address and associates it with every search request and therefore, every email.
They can claim that no human reads personal email, but I am not willing to take their word for it anymore. And what if some law enforcement agency subpoenas that information? That pretty much trumps any privacy statement from Google. If they didn't track such intrusive information then there wouldn't be a problem. But I digress.
There was still one Google product that I had no experience in and I thought it was time to take the dive. I decided that my next area of study would be the Google AdWords program.
Google AdWords, as you might have guessed from the name, is an advertising program offered by "the big G." This program is what puts those ads on the right-hand side of the page containing your search results. These results also go in your Gmail, groups, or anywhere else that Google has authorized to use the AdWords ads. They also have some partnered sites that use these ads on their pages as well. These locations seem to change frequently and their documented list of clients is no longer correct. Most of the ones that I tried to follow-up on have switched over to the Google AdWords competitor, Overture, which is used by both Yahoo! and MSN. In fact, Overture is actually owned by Yahoo! now.
I don't really think that advertising my site(s) in Google is worthwhile, but I figured it would be an interesting experiment and research assignment. It may even be an opportunity for some "investigative reporting," if you will, so I took the plunge. The plunge consisted of heading over to adwords.google.com and reading the available documentation and then dropping 20 bones to get an account started. Your $20 is basically a debit from which your fees are pulled and it is the minimum required (at the time of this writing) to create an account. They pull five bucks for a setup fee from that deposit in the first month. There are a few settings that you create when you set up the account which will come into play later.
Now that you have an account, you need to create a "campaign." Campaigns are logical divisions of different topics that you want to advertise under the same account and billed to the same place. For most small users, like me, you will only need one campaign. If you have sites that cover several different topics, you might want to separate your ads based on the topics that you want to advertise.
Perhaps you are a web developer or a hosting company and you need to advertise for a pet store, a hobby store, and a car dealership. Each one of these will have different keywords for different audiences and you would not want to mix these sites and topics together. This is only for organizational purposes and not very interesting to hackers.
While campaigns are logical divisions for content type, "ad groups" are subdivisions of campaigns. Campaigns are based on topics, but ad groups, generally, are based on individual sites. Each ad group has one ad which lends to being used one per site. For the example of a car site, you might have a different ad group for new cars and a different ad group for used cars. The reason is because there will be different keywords that fit each site better. In my case, I made a different ad group for different sub-domains and projects on our site.
For example: We have an ad group for Binary Revolution Radio and a different ad group for Binary Revolution Magazine.
I also have a few other ad groups that I use to do some "testing" but basically you will want to create a different ad group for each different ad that you want to make.
At this point, you should still have $15 left to spend on advertising. The way that the system works is very similar to an online auction process. Instead of bidding on items, however, you are bidding on "keywords." You have to decide what keywords will provide you with the highest number of clicks. Obviously, if you are a car dealer, you would use keywords for different car models or other related search terms. You could also put phrases like "free porn" which may generate many hits but no one will buy anything once they get to your site. You paid for their click, but they didn't give you anything in return. They didn't want your car site, they wanted free porn!
Choosing appropriate and manageable keywords is one factor, but the other factor is that you are not the only person who wants those particular keywords and there is only so much screen space to dish out. This is where the bidding comes in.
Certain words are worth more than others. Obviously, there are many car dealerships out there and they all want the same terms such as "new car dealer." The way Google handles this conflict is that they sell to the highest bidder. The more you bid on the keywords that you want, the higher on the page your ad will appear. This bidding war is a perfect design for pay-per-click advertising. You only get charged your bid amount when someone actually clicks though your ad. Every time it is shown on the page, it is counted as an "impression" and every time someone actually clicks on your ad, it is counted as a "click-through."
You must maintain a certain Click-Through Rate (CTR) that generally needs to be at least 0.5% (one click-through out of every 200 impressions) but this percentage fluctuates based on other factors like the size of the campaign and the frequency of the keywords. If you do not stay above your CTR, your account will be slowed and/or canceled.
An interesting bit of trivia is that the most expensive keywords are usually those related to lawsuits and lawyers who are looking for the big payout. This includes words and phrases like "class action" and "slip and fall" with the idea that it only takes one big payoff from a class action lawsuit to make them millions of dollars and justify the cost of the ads. Insert an obligatory lawyer joke of your choice here.
So this brings you to the keywords section which is where you will do a lot of hacking to get good keywords and find some interesting things about the system. You choose keywords that you think are relevant and will generate hits on your ads. AdWords will estimate the number of hits and the CTR using some magical formula that is not publicly available. This tool may work fine for larger or medium sized campaigns, but for small campaigns it was woefully skewed even to the point that I had ads that were being slowed or canceled within a day of creating them.
The AdWords system expects more clicks than a very unique keyword can provide, and it just gives up far too easily. If your keywords fail to often (there are levels of failure that are unimportant in this context), then your account will be "slowed" and your ads will not show as often, or so they claim.
I found that my keywords, being very detailed and obscure to the non-hacking world, were still being shown when I tested for the same keywords. I guess you cannot slow something down or lower it in the results when it is so unique that there are no other ads to put in front of it. If you want to reactivate your account to full speed, you have two grace reactivations and then to reactivate it a third time, you must pay a $5 dollar reactivation fee (which is ridiculously unjustifiable for an automated system). My account was "slowed" a mere 48 hours after its initial creation. This created a paranoid existence where I was scared that if I did not check the account daily, they would kill it again. I was suddenly demoted from a webmaster to a babysitter.
When it comes to the keyword system itself, one of the things that I found interesting was the keyword tool that tries to help you come up with better keywords to add to your campaign. Once you put in a few keywords to get started, the keyword tool will then try to suggest similar keywords or phrases that are related to your original keywords. You will find some interesting results this way. I started with only a few keywords and found myself with many more based on the keyword tool. But this was where more problems started to happen.
I found that my keywords were being canceled way too easily and were not given a fair chance to perform. Like I said earlier, if the campaign was on a larger scale, then this statistics model may hold true, but for smaller campaigns it simply was more of a hassle. It also led to another problem that I found slightly ironic which is that the keyword tool suggested words and phrases to me that I was later denied due to their Terms of Service (ToS) anyway. Why recommend them if you are not going to allow me to use them? This is pretty much when my experience became totally negative with AdWords.
I also admit up front that I knew that their ToS had a rule against "hacking and cracking" sites. I knew this ahead of time, but I know that my site is a hacking site and does not promote cracking. Because of this, I thought that maybe Google would "do no evil" and be liberal with their policy and understand that my site does not promote illegal activity and explicitly states that in numerous places.
Apparently, Google did not share this viewpoint as I found out later. In the beginning, however, when you create a keyword in you ad group it gets put into the rotation immediately! That is important to note. My ad group stayed in rotation for about four or five days before I got the ToS notice that my ads were suspended.
I emailed the customer service person and explained to them that my site did not contain any reference to "cracking" and I even went so far as to show them the Google link to "define:hacker which explained the definition of hacker right from their own site.
I also pointed out that Google even offers a "hacker translator" service at www.google.com/intl/xx-hacker/ which seemed quite hypocritical to me. I also gave links to several prominent sites that clearly define and delineate the difference between hackers and crackers. None of this did any good.
That was the motivation for this article. If Google doesn't want to be reasonable and wants to keep forcing their rules on me, then maybe I should point out the flaws in their system for the entire world to see.
Firstly, let me point out again that your ads do not get checked upon initial creation before they get added which is very useful if you want to be a spammer or promote your pr0n site for a few days on Google (although some words are explicitly banned from being in an ad at all). You will pretty much have your ad out there for a few hours or days before they will catch and ban it. Overture checks your ads before they are made available. They also banned my ads from Overture, but at least they weren't hypocritical about it. Google was banning my ads for having the word "hacking" in them but Amazon and eBay were both using that keyword in their ads. I guess they have bigger wallets than I do.
The next big flaw is that when Google "disables" your account, they simply remove it from the rotation until you correct the problem. They have to err on the side of caution and give you a chance to fix the item in question.
To do this, you go into your ad and change it based on their explanation of the problem. In my case, they didn't like the words "hacking magazine" so I simply changed it to "security magazine" and it was immediately put back into the rotation. It took them another four or five days before they disabled my account again, this time for the same reason. I again tried to reason with them that the ad did not have the word "hacker" in it and that it was simply a site about computer security, but they weren't hearing it. I got the same cut-and-paste response of the same "no hacking or cracking" rules every time I contacted them like I was some sort of moron. Fine, if they wanted to play that way, I certainly wasn't going down without a fight. And I also wanted going down without using up my $15 credit that I still had left!
This is the most hilarious part of the story. Due to the method by which they check and verify ads, I simply went back into my ad and changed it again thinking that it would probably go back into rotation immediately. I removed the word "security" this time and simply left "magazine." The ad was instantly reactivated.
Well, I began to wonder whether they kept any sort of database or history of ads that were banned to stop me from going back to them again. I edited my ad again and decided that I was damn well going to put my ad back out there. I put the word "hacking" back in front of "magazine" and voilà! I was back in business! It was that simple!
I can play this cat-and-mouse game for a long time if they are not going to block my previous ads, and even if they tried, I will apply some of the tactics from my "31337sp34k" article to make tiny changes and bypass just about any filter they want to throw at me. And so it went for about a month until they tried something different.
When they decided to ban my ad this time, they also added in a little extra twist. This time they went into every single one of my ad groups and banned all of my ads (some of which had "security," some had "hacking," etc.) but even better than this, they also went in and banned every individual keyword that I was using. This included "security magazine," "hacking magazine," "phreaking magazine,' and included the ones that they themselves recommended earlier with their own keyword tool! I decided to push back a little bit and complain that they were banning keywords that were suggested by their own system, but they still continued to cut-and-paste the same response to me over and over. Well, now I had to handle this problem as well.
Well, as if it wasn't funny the first time (two paragraphs ago), let me repeat it. I went in and edited my ads again just as I had been doing and they were, once again, instantly reactivated. This time, however, they were not responding to my search terms.
Obviously this is because even though the ad groups themselves were back in rotation, they individual keywords were still banned. Well, I figured that since it worked for the ad itself, maybe I could also modify the keywords just as easily and reactivate them as well. I cut my list of keywords out to a text file and saved the ad group with no keywords in it. I then clicked on "add keywords" and pasted those bad boys right back in. I think you can already guess what happened. I was back up and running with all keywords intact. They do not seem to check ads with any regularity.
But this was just the story of the big loopholes that I found in the fundamental aspect of their system. I also have some general advice for people who actually do want to use Google AdWords. One of the controversies with this type of advertising is that you can use just about any keywords that you want. This includes proper names, and copyrighted titles of companies. Coke can use the keyword "Pepsi," Honda can use "Toyota," and similar related products can try to capitalize on their competitors name and unless someone complains, it will be right there.
Now the big guns like the ones just mentioned, will put a Cease and Desist on that activity with a quickness, but for smaller sites you have some more flexibility. I use keywords of some other popular hacking magazines in my ads (*cough*) and some security trade magazines as well to try to let people know that we exist.
Another similar tip is to use misspelled version of your keywords. This is a huge place to get a leg up on your competition. Google will come up with a suggestion if it notices a users search terms to be misspelled, but in the meantime the user has scanned the page and seen your ad increasing your visibility. You may get them to click on your ad without even correcting their spelling and running the correct search. I think this is a great example of social engineering where you have to understand how people think and see where that intersects with technology.
One of the more evil things you can do is based on the "daily spending limit" which is one of the items I mentioned earlier that are set up when you first make the account. You can tell AdWords what you want your maximum daily spending limit to be. When you reach that limit, based on enough click-throughs to hit that amount, your ads will be removed from the rotation until the next day.
This is meant to be a safety measure for smaller sites who don't want to get overwhelmed with so many hits or orders that they cannot keep up. If you really wanted to be a jerk to your competitor, or just to a random stranger (like me), you could just click their ads as much as possible and they will pay their bid amount for each click-through.
Now, I don't believe it is so simple to allow you to just sit and click over and over. It looks to me like they use session variables to limit how many clicks can come from one person. This may also be used in conjunction with IP resolution to only give one-click per customer.
I think we all know that a little scripting and a list of proxy servers can overcome both of these obstacles. And since the ads disappear after the daily limit is reached, this attack also doubles as a DoS attack by removing the ads for 24 hours, which might be an interesting move for a competitor to make.
I wouldn't recommend that you do this because it is pretty rude and it will cost someone money which is not a good thing. Don't bother trying this on my campaign because I set my daily limit very low so that it would take you months (literally) to use up my $15 of credit. Those lawyers who pay big money for the expensive keywords have a little more to worry about than I would.
Finally, the funniest hack of all is my last slap in the face to Google. I created the ad group that you see in the picture below (which will not be working by the time you read this). I immediately took it down, for fear of getting canceled outright, but it is here for posterity.
The ad group that you see in the first image produced the results that you see in the second image when searching for the string "Google really sucks." I am sure that my account will be shut down when this article is publicly released, but while I am waiting, I would like to continue to explore. Because of this, I am not leaving this keyword string up and running since they will probably shut me down if they saw it so if you try it as you read this, it will not be working (at least not from me). This is the new way to protest and is reminiscent of the fordreallysucks.com saga a few years back.
You can not only put in company protests, but personal messages to people triggered by keywords. Perhaps you have issues with a certain person and you want their name and a nice message to appear when you search for them. It could be used for almost anything.
Theoretically, you could use this trick to send hidden messages to someone by sending them only a very long (80 character maximum) and unique key phrase. The gibberish phrase would not generate any hits, but the ad is still delivered (this is verified). You would contact the receiver and give them the phrase and they would know to look for it on Google and then click on the resulting ad which would take them to a secret site or message (which you would have encrypted, of course), or the ad itself would contain a key to another message. The applications are endless.
So this research has been going on now for a couple of months as of this writing. I only want to get my $20 back out of it and then I will cancel the account. While I was waiting, I thought I would share some of these loopholes with people so that they too, could enjoy the Google AdWords program as much as I have. I also shared a few real tips on how to run a successful campaign in general. Tutorials are available on the Internet that contain probably even less information that I have provided in this article yet people charge hundreds of dollars for them. You should probably save your money and just send them a link to this instead.
I loved Google for the longest time, but about a year ago, that all started to change. They started making questionable business decisions that were obviously financially motivated. Google went public on August 19, 2004 and started answering to stockholders whose bottom line is profit.
This has been the downfall of many companies. Bias (in the form of financial pressure) has been introduced. Your expectations for privacy should be nonexistent and they are probably too late now anyway.
Google is the new Big Brother... and he is definitely watching.
"The Revolution Will Be Digitized!"
Shoutz: Alternative search engines, my fellow passengers on the flight back from interz0ne 4 who formed a circle around me listening to me teach Google hacking, Acidus, Decius, Rattle, romanpoet, Elonka, the listeners of Binary Revolution Radio, and of course, the DDP.