The author’s views are entirely his own and may not reflect the views of nexus-security. As a typical Silicon Valley engineer, my days were monotonous. I’d hit snooze countless times before dragging myself out of bed, battle rush hour on the 101, and then sit through mind-numbingly dull meetings led by technically clueless managers. You know, the type who thought Java was a beverage. My workdays were filled with pretending to be productive (who can call browsing eBay unproductive? I was practically doing quality assurance for them!). Lunch breaks were dedicated to griping about our jobs with colleagues, followed by a stealthy hour-long nap under the conference room table.

Around 3 PM, I’d put in a solid hour of actual work just before my manager inevitably appeared, inquiring about my progress. After that, it was back to my dull suburban existence – a real turn-off for my non-existent dating life. Two years of this soul-crushing routine would drive anyone insane, including me. Maybe it was my youth or maybe I was just wired differently, but I had high expectations for myself and I just couldn’t stomach this charade any longer. So, I took the plunge and quit, never looking back. I was determined to forge my own path. I tried my hand at everything from IT consulting to vending machines, network marketing, game development, and niche websites. Like many wide-eyed entrepreneurs, I dabbled but never struck it rich. Despite not being particularly religious, I clung to the belief that I was destined for success. Every morning, I would pray for a sign, a guiding light, SOMEONE or SOMETHING to pull me out of the trenches. And then, my prayers were answered.

Or so I believed.

The Message That Ignited It All

It was 2008 when an old network marketing buddy contacted me out of the blue. We had never been close, but bonded over those “we’re-the-best” network marketing conferences designed to motivate us to peddle their often-useless products. Like most network marketers, neither of us achieved the promised riches, so we went our separate ways. He ventured into internet marketing. When his message popped up, I was caught off guard. We hadn’t spoken in years. He was asking about using AdWords, a platform I had dabbled in but never mastered. His request struck me as odd. Even with my limited knowledge of AdWords, I knew anyone could create an account. Something wasn’t right.

When I probed further, he confessed to making a killing online - thousands per MONTH (a fortune for a struggling twenty-something). It was all thanks to some online ad trickery. Naturally, I was all ears. His secret weapon? Search ad feed arbitrage. Let me break it down.

The Anatomy of the CPC Arbitrage Scam

Search engine giants like Google, Yahoo, and Bing have a vast network of advertisers who shell out big bucks to appear in search results. It’s a cash cow for these companies. Then, there are the smaller players in the search engine world, the second-tier contenders like DogPile and Ask. Google and Bing, always hungry for revenue, want their ads displayed on these platforms too. But instead of using AdSense, they rely on XML feeds. So, if someone searches for

http://SECOND_TIER_SEARCH_ENGINE/search?q=auto+insurance

The second-tier search engine sends a request to Google or Bing, inquiring about available ads for that keyword. If there’s a match, the results are delivered via an XML feed, which the second-tier engine then displays. Why this method instead of the standard AdSense? It could be about speed: <geek_talk> maybe they have a direct connection for faster results compared to slower, asynchronous javascript in browsers </geek_talk>. Or perhaps it’s about data collection and analysis, with these search engines aiming to maximize revenue. But the REAL kicker? The XML ad feed boasts significantly higher payouts than AdSense. Instead of Google and Bing pocketing their usual 40% cut, they take a much smaller slice. What’s more, unlike AdSense, you know the revenue per click (RPC) upfront. The implication? Access to this XML feed opens the door to CPC arbitrage – snapping up relevant keywords for less than the RPC. Of course, there’s always the risk of users bouncing from a lousy landing page. The equation looks like this: Max CPC bid = RPC * (CTR on the landing page). Ever clicked on an ad only to land on a page plastered with even more ads? Those pages are technically “relevant” but utterly worthless. Often, they’re nothing more than a single-page domain with zero content. We’re talking ridiculous domain names like “BuyTermLifeLifeInsuranceMiamiFL.info” or “WeightLossManagementCenterTorontoCanada.info”. And these CPC arbitrageurs owned a staggering number of these domains - thousands upon thousands of .info domains. This was back in 2008, when quality score was already a factor (and these pages would have tanked with a QS of -250 or worse). So how did these arbitrageurs circumvent the quality score hurdle? Simple. Cloaking. They’d redirect traffic to legitimate-looking pages when they detected search engine bots. Otherwise, users were sent to their money-making pages. Here’s the gist of their code: ============================================================= if(user_agent is empty or bot) // GoogleBot, BingBot, etc.) { cloak_to(trusted_site_with_keyword_rich_content_and_no_conversion_goals) } if(IP is a known bot IP or on “blacklist” IP) // Let me tell u.. this is HUUUUUUUGE list { cloak_to(trusted_site_with_keyword_rich_content_and_no_conversion_goals) } if(IP has been registered already) // sheer paranoia { cloak_to(trusted_site_with_keyword_rich_content_and_no_conversion_goals) } redirect_to(money_page) ============================================================= Note: The irony of blackhat PPC experts maintaining a “blacklist” of bot IPs - shouldn’t it be a “whitelist”? This two-pronged approach achieved their goals:

1. Get their ads approved
2. Keep their quality score low for cheaper clicks But how could someone like me or my friend get access to this feed? Turns out, my friend’s former boss, a company co-founder, had connections. He knew someone at a major search engine (I won’t name names) who provided access to this valuable feed in exchange for a cut of the profits. My friend’s boss then brokered the feed to him under a similar arrangement, leaving my friend to do the dirty work. And naturally, he wanted me in on the action.

Why I Ditched Black Hat PPC

Whenever I recount this story, I’m bombarded with the same questions: 1) How big was this market? Massive. That company where my friend worked? They sold half of it to a hedge fund for a cool $50 million+. Perfect timing, too, because search engines caught on and cracked down on TOS violators soon after. 2) This doesn’t happen anymore, right? Search ad feed arbitrage? You’re right, it’s rare these days. At least, I don’t see it as much. However, some second-tier search engines still seem to be playing this CPC arbitrage game in lucrative (and easily manipulated) industries like weight loss, insurance, and consumer goods. It’s happening ALL the time. In fact, Ask.com has a bit of a reputation for this arbitrage game. There are also other kinds of CPC arbitrages happening, but they’re sneakier. Think buying cheap banner ads on high-traffic but unfocused sites, like music sites, and redirecting visitors to high-CPC search results. The banner ad might say something vague like, “Looking for a car?” Then, bam, the user is hit with a page full of car ads. The formula remains the same: Max CPM Bid = Banner ad CTR * RPC * CTR on SERP. Illegal? Mmm … not really. Ethical? Absolutely not. As an advertiser, I expect search engines to connect me with genuinely interested customers. These tactics exploit the system and deliver unqualified leads. 3) Did you get caught? Yep, busted. In 2008, 30k+ advertisers got caught. And then in 2011, over 800k advertisers got caught. It makes you wonder, are there REALLY over 800,000 people globally trying to game Google AdWords? Doubtful. Between me and my friend, we probably had around a hundred accounts, and we were small-timers. I can only imagine the scale of larger operations running thousands, if not hundreds of thousands, of AdWords accounts to rotate their cloaked links on Google. 4) You were in the wrong. Where’s your moral compass? I know, I know. That’s why I’m coming clean! I fully own up to my actions and apologize to anyone I’ve wronged. I was naive and should have done my due diligence. But in my defense, I made zero profit from this scheme. Why? That’s a story for another time. To put it simply, I knew there was a bigger, more lucrative world of CPC-to-CPA arbitrage using similar cloaking techniques. So, instead of taking a cut, I played the “helpful tech guy” to get in on the real deal. Let’s be clear, cloaking and CPC arbitrage are detrimental. They inflate the PPC market, which seems great for search engines, right? Wrong. Clicking on an ad, only to be met with another ad, and then another, erodes trust in the search engine. Eventually, users will abandon ship. Yes, blackhat PPC felt like easy money… but it was just another hustle. If it’s any consolation, this particular blackhat venture yielded me absolutely NOTHING. Not a dime. And my dog never lived the high life:

Conclusion: Will I ever do it again? Never. I believe in God and karma. I could never do to others what I wouldn’t want done to me, my family, friends, or colleagues. What goes around comes around. Since then:

• I’ve been trying to make amends by sharing my knowledge of SEM/PPC, media buying (especially on social platforms), email marketing, lead generation, and direct response marketing on my blog.
• I’ve explored legitimate ventures like my current solar lead generation company. The ethical route might be tougher initially, but it’s far more sustainable. There are no more:

1. Looking over your shoulder
2. Sleepless nights, panicking about Google bans
3. Dead-end businesses with no exit strategy because they lack real value So, there you have it. My confession. And now for Tony’s:

TaeWoo Kim is an entrepreneur, digital marketer, speaker, and blogger. He has over 7 years of experience in software startup, inbound marketing, direct response marketing, PPC/search engine marketing, sales lead generation, conversion rate optimization, email marketing, and social media. You can follow him on Twitter (@TaeWooKim), Google+, and on his blog FreshSuperCool.com.