" />

AdWords’ Scariest Loophole

Posted on Monday, January 25th, 2010 by Print This Post Print This Post

Categories - Featured, SEM

First things first, let me stress that neither The Search Agency nor I personally have ever or would ever make any use of the loophole described in this post. This is deeply unethical stuff that you’d have to be wearing a huge and exceptionally dark black hat to consider. We don’t do it and clearly neither should you. The terrifying thing, though, is that you could

When you last set up an AdWords account, remember all the hoops you had to jump through to prove to Google that you were the owner or authorized agent for the domain you wanted to use?

No? Me neither, and here’s why: despite the fact that Google has a trademark policy to prevent you from using your competitors brand names, there are no measures in place to stop you from running AdWords campaigns using their domain. It’s not been possible for some time to run ads which feature a display URL with a different domain to the landing page, but as long as you’re happy for the ads to point to your competitor’s site, you can run those ads to your heart’s content.

That doesn’t matter, you may think, no company’s going to be stupid enough to pay for their competitors advertising. What possible benefit could there be in that? This is Google’s argument, and on the surface it seems to make sense.

But the fact is, given a little thought, there’s plenty of scope for serious damage that an unethical competitor (or just a rogue individual) could inflict upon a business. Did you ever see a really compelling ad for one of your competitors and wish you could make it less effective? Or make it reach fewer people? With AdWords, frighteningly, you can.

Just create your own unappealing ads using their domain and bid to outcompete their real ads. Since Google will only allow one ad to show for any one domain on a results page, you can effectively replace your competitors own ads with ones that are as unappealing, unattractive or brazenly offensive as you like. How about these?

Need A Car?
Ours Are Unreliable & Dangerous
Put Your Family At Risk Today!


No Good With Werds?
Were The
Exper Profreeders!
Never Find A
Tpyo Again.

XYZ Software 2.0
Crashes Even More Than Version 1.0!
Unsecure, Inefficient & Unnecessary


Imagine the fun you could have! Still, amusing as it might be to sling mud at your competitors in this way, it’s none too subtle, and those ‘per click’ costs might rack up from user curiosity alone. A much more troublesome risk of this loophole is it being exploited in a way that’s less detectable to the user performing a search.

Since it’s possible for sneaky companies to buy advertising for their competitors alongside their own, why not make the two ads directly comparable, but with the ‘real’ ad significantly more attractive, like this:

XYZ Only $100
Brand New & In Stock Now
Free Delivery!


XYZ Only $150
Our Lowest Ever Price
Delivery From $3.99


For users it’s a no-brainer, so clicks to the competitor ad will be virtually non-existent, and that means bids can be set ludicrously high to combat the effect of low CTR on Quality Score. In fact, while you’re at it, why stop at one competitor? Since there’s nothing to stop you creating ads for any domain you like, you could pull the same trick with every one of your competitors on AdWords, managing bids so that your real ad lives in position one and all your fake competitor ads have bids just high enough to keep the real competitors off the page. Voila, the vast majority of Adwords clicks on these pages will come straight to your real site.

Of course, there’d be difficulties: the CPC you’d achieve on your real ad would be necessarily high, and the smattering of clicks on your fake competitor ads would likely be extortionate. In fact, the whole production would likely cost a good bit of money and a lot of clever AdWords management time, but for what amounts to complete ownership of the sponsored links on your preferred search terms, it’s not impossible some companies may consider that a price worth paying.

Google’s position is simple: if there’s a brand issue in the ad copy (not including the display URL) they’ll get involved to a limited extent, but the display URL or anything even as flagrant as the above example is an advertiser-to-advertiser issue. In short, it’s a problem for your lawyers, not Google’s.

So, while it’s likely that this kind of aggressive hijacking would lead to serious legal trouble for the perpetrator, this would probably come too late for the company whose product launch, event or other promotion has been buried by it; and, in the murky world of cybercrime it’s likely that someone wanting to inflict such an attack could probably find a clever way to keep the paper trail away from their door.

Maybe this kind of elaborate scam is unrealistic, but the fact is there’s nothing that actually makes it impossible. And as long as Google requires no authentication of domain ownership before running ads, the threat of someone exploiting this loophole at the expense of your business is very real, even if it’s just an angry customer or disgruntled ex-employee who’s willing to pay to air their grievances in a very, very public place.

Have you ever been a victim of this loophole, or even used it yourself? Or can you think of some even more diabolical possibilities this opens up? Let me know… and try not to have nightmares.

About Alex Campbell

Alex is Deputy Managing Director of The Search Agency Ltd., with a remit covering all strategic and operational elements of the UK agency business. Alex is based in the London office and has the distinction of being TSA’s first full time employee in the UK, having joined TSA in 2008 to lead and grow UK SEM activity. He has extensive experience managing teams in the UK and offshore and has worked with large and small clients directing campaigns across verticals including directory, leisure and finance, and across markets including Europe, North and South America, Asia and Australasia. Alex has been working in the online marketing space for seven years and holds a BA/MA in English Language and Literature from Oxford University.

Tags | , , ,

15 Responses to “AdWords’ Scariest Loophole”

  1. David says:

    Thanks for pointing out that potential loophole, perhaps it will trigger a positive change…

    • Alex says:

      Thanks David. I’ll admit the examples I’ve suggested above may be pushing this risk to extremes, but the fact remains that there IS a risk. We’ve certainly seen at least one client suffer because of AdWords’ lack of domain authentication.

  2. James says:

    Hmm, not sure of the motive for this post. If the aim was to alert google privately. Seems this will only serve to point out an opportunity to the less scrupled.

    • Alex says:

      Hi James. I take your point – I guess it could be potentially risky to let this information fall into the wrong hands, but I’m of the view that those “wrong hands” could have easily discovered this anyway. In fact, I was in two minds as to whether I should describe this as a “loophole” since, in fact, there’s not really any trick to it at all. When I became aware of this it certainly struck me as something that was very interesting and quite concerning; and worthy of debate. From Google’s point of view, we’ve have been in touch with their team on both sides of the Atlantic and they’ve confirmed that they’re aware of this but don’t consider it a significant risk, stating it’s an advertiser-to-advertiser issue (as I say above, a problem for your lawyers, not theirs).

  3. Periscopix says:

    It would be so simple for Google to solve this problem. They already have the systems in place with Webmaster Central. The domain owner can upload a verification file to the root of their site. That will prove they’re the site owners. It would rule out direct linking affiliates though unless the merchants are willing to upload multiple verification files to their site.

    • Alex says:

      Hi Periscopix, thanks for your comment. I agree this should be a relatively simple thing to resolve. To play devil’s advocate I guess Google may consider that the solution you suggest to be too complicated for some of the less tech-savvy small local advertisers who they want to attract. Maybe another solution would be for Google to only allow any one top-level domain to be associated with one AdWords account by default (something that could be changed for affiliate merchants) – that would mean that as long as the real advertiser had some AdWords activity running first, no rival (or individual) could then use that domain in their “fake” ads. Of course, there could still be an issue if a faker got in there first, but it would be a partial solution at least…

  4. Barak says:

    Hi Alex,

    Any advertiser with some common sense knows that a prank
    like that ouuld cost him banishment for life on Google Adwords.

    • Alex says:

      Hi Barak,
      You’re absolutely right of course – no legitimate advertiser or agency would ever exploit this loophole, but I don’t think that means there’s no risk. For an individual (angry customer, ex-employee etc.) getting banned from AdWords might be of no concern at all, because they might not ever want to use it legitimately. Same goes for a criminal operation, because they could presumably keep setting up accounts with various credit cards and never worry about getting banned. In these cases a Google ban would come too late for the victim involved; and, in fact, since Google have said that domain URLs are not covered by their trademark policy, there’s no guaranteeing they’d actually get banned at all.

  5. Gene Pao says:

    Great article. While we won’t do this to our competitors, I’m not confident that our competitors won’t do this to us. Definitely something to look out for!

    • Alex says:

      Thanks Gene,
      Let’s hope they don’t! We’ve seen this loophole cause problems once or twice (though never with the level of maliciousness I’ve considered above) and Google’s hands-off approach can make it difficult to rectify.

  6. Aidan says:

    Oh dear…

    Guess we’d better start getting used to the GWT style verification for Adwords accounts! If thats too complicated for small business owners they’ll find it more necessary to use an Adwords manager!

  7. I have been exploring for a little for any high-quality articles or blog posts in this sort of house . Exploring in Yahoo I finally stumbled upon this site. Reading this information So i’m happy to convey that I have an incredibly just right uncanny feeling I discovered exactly what I needed. I so much indisputably will make sure to do not fail to remember this web site and provides it a glance regularly.

    • Alex says:

      Thanks Vallie,
      With the size and experience of our team at TSA there’s a lot of great stuff being added here all the time, so glad to hear you’re planning to come back.


  1. Paid Search from Apple, Google Analytics Certification, & AdWords Loophole | Dragonsearch Marketing Blog
  2. Paid Search from Apple, Google Analytics Certification, & AdWords Loophole | DragonSearch Marketing

Leave a Reply

Follow Us on Twitter

Featured in Alltop

Big List - Search Marketing Blogs

2010 SEMMY Runner-Up

BoostCTR Best PPC Blogs