Virus Writers Target Google's Sponsored Links

An anonymous reader writes "It looks like the bad guys are gaming Google's sponsored links to spread their junk to people who click on the ads with unpatched versions of Internet Explorer. Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes this was bound to happen, given the way Google structures sponsored links: "The bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.""

What do you expect?

[Grishnakh]

That's what you get for using IE.

Re:What do you expect?

[Nazlfrag]

Nah, you get that just by running Windows.

Re:What do you expect?

Well I use firefox and the text that is shown for a sponsored google link is so long that the actual url often can not be seen..

An example of a sponsored link for the search term "spyware":

http://www.gogle.com.au/pagead/iclk?sa=l&ai=BFGLAu kIwRvC8Bof-gwPH0LzVBYCh2hbQzOfLA-DCtQyQ_EQQAhgFKAg 4AFCnwOf5BmCloJWAmAGYAd2cBqABrKXJ_gPIAQGAAgHZA7qSN w_M6LwQ&num=5&ggladgrp=222741638&gglcreat=85109064 8&adurl=http://www.defeatspyware.org

All that can be seen on the status bar is

"http://www.google.com.au/pagead/iclk?sa=l&ai=BFGL AukIwRvC8Bof-gwPH0LzVBYCh2hbQzOfLA-DCtQyQ_EQQAhgFK Ag4AFCnwOf5BmCloJWAmAGYAd2cBqABrKXJ_gPIAQGAAgHZA7q SNw_M6LwQ&num=5&ggladgrp=222741638&gglcreat=851"

I could be clicking on anything....

Re:What do you expect?

[Arker]

True, but Firefox allows the suppression of information on the mouse hover as well, I just tested it. Opera does the right thing here, why not Firefox?

Re:What do you expect?

[Grishnakh]

My status bar shows the whole URL. You just need a bigger monitor! :)

OOPS

well I guess that wasn't so smart of Google after all.

Who wants to bet that you can't click on a google Ad-Sense link w/o javascript turned on.

Re:OOPS

Well, not being able to click on them isn't really the problem. Adsense ads rely on JS to be displayed in the first place. I'm not sure about the sponsored links, though. I doubt that those rely on any JS to be displayed, or even to be clicked on... just redirects for counting purposes.

In No Way Is This A Virus

[QuantumG]

I really wish people would put even a bit of effort into using the term correctly.

Hell, this isn't even a Worm! It's just exploiting a browser bug to steal passwords.

Yawn.

Don't use Internet Explorer.

Re:In No Way Is This A Virus

[echo_kmem]

Another Yawn is the whole 'Thats what you get for using IE'. The article states the problem lies within Unpatched Versions, not the application itself. Not that I am trying to defend it, just trying to keep the story straight as well. So, Yawn. Keep current on your patches.

Re:In No Way Is This A Virus

[QuantumG]

On the stupidity scale, using unpatched IE is only slightly above using IE at all.

Re:In No Way Is This A Virus

More like: yawn, don't click on stupid ads.

Re:In No Way Is This A Virus

And slightly below coasting along without a care in the world because you've made the 'informed' choice. Obviously nothing bad could ever happen to someone using firefox...

I realize there are different probabilities involved and I'm not accusing you personally of this attitude, but many people act like simply using something else means they don't have to pay attention to malware laden sites. While this may not be a problem in and of itself I've noticed this attitude being passed along with the software. Ive met grandmother types (no offense grams. ::}) who never even think about phishing attacks or anything else on the net because their grandson johnny assured them that none of that bad stuff happens if you switch away from IE.

Re:In No Way Is This A Virus

Firefox had a bug where a site could retrieve ALL of your passwords stored by Firefox. I don't remember IE ever had SUCH a nasty compromise. So much for the "browse more secure"... I stopped using Firefox the day I read about the issue. It indicates sloppy design. I'm using IE again.

Re:In No Way Is This A Virus

[aybiss]

Should I use unpatched Mozarella, which runs anything from anyone on a page request? I use IE7 with the nagging security hardening turned on, and while I'm sure there's an option or add-on for Firefox that does the same, I doubt *average* users of it or other major browsers have any idea what they are getting into when they surf the net.

Just my 2c as someone who spends all day unp0wning computers that only use Firefox just as often (per capita) as I do those running unpatched IE6 or worse.

Re:In No Way Is This A Virus

[ThePengwin]

Also dont use sponsored links

think about this, someone has gone and paid to get their site to the top, not by making it a site thats relevant to the search, or is popular. Is it really worth looking at?

I always skip the sponsored links, its another name for an ad

Re:In No Way Is This A Virus

[daviddennis]

Actually, it depends. If you're looking to buy something, the sponsored links can be the most useful ones.

If you're looking for information, they rarely are.

If enough people didn't click on sponsored links, Google would go bust and I don't think anyone wants that. So my practice is to click on the sponsored links if they are appropriate to what I'm trying to do.

D

Screen?

[HomelessInLaJolla]

How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?

What's the procedure for selecting which particular ad a user will see? I imagine it's a little more complex than a completely random selection from one massive repository.

Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date? Or is this a case of some malicious organizations actually hacking Google code?

There's a datestamp on nearly everything and I'm sure someone has network activity records someplace.

Re:Screen?

[CannonballHead]

How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?

In my experience with AdWords, there are four lines of text to fill, and one URL. The first one is the "title" and is linked to a url you provide. The next two lines are just text. The last line is supposed to be part of the url, or something related to it in some way... but you can have "hello.org" displayed but actually link to "hello.org/visitorfromadwords.html"

There isn't really a "template."

Re:Screen?

Not even common templates, maybe not distributed by Google itself, but common to the advertising agencies for web advertisements?

I'm thinking of Powerpoint templates.

Re:Screen?

I don't think you understand how it works. You just provide text to Google. There are 5 parts to the google ad:

Title
Ad line 1
Ad line 2
Display URL
Destination URL

None of these allow you to place code within the ad itself. What is happening is that the 'advertiser' is directing the user to a page (the Destination URL) that doesn't match what is advertised/displayed. This 'landing page' has the exploit code that tries to install. Once done trying to exploit you, it then redirects to the actual website (For example, to the BBB site) so you don't know that it was a 'bad' site.

Re:Screen?

[Cap'n.Brownbeard]

You're missing the point... it's just a link to another site that someone has paid to have appear in google's search results for certain terms. Google simply needs a more robust system of checking the validity of ad links.

Re:Screen?

[lintux]

> Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date?

Definitely. But the problem here is that the malicious person can change the contents of the website any time he/she wants. When placing the ad, put something normal there. Once the ad is live, put your malware there. After a few hours the ad will probably be dead ... but I'm afraid there are ways around that too.

Pay for click....for a virus?

So people are paying to infect systems with a virus. How will the cost be recouped? Spam?

Re:Pay for click....for a virus?

[aichpvee]

That or selling access to the zombie botnet.

Re:Pay for click....for a virus?

I'm surprised most people here are commenting, yet they haven't read the original source of the story to understand what they're commenting on. This was not a virus they discovered. They're cyber criminals, out to make a buck, who opened their own Adwords account and ran ads that displayed links to trusted sites. The only problem was that you were first linked to an exploit server, which attempted to force download a keylogger onto your system. So you asked how the cost will be recouped, ie how can the bad guys profit from this? By stealing your bank account info and your money, among other things. InfoWorld has the most thorough coverage on this: http://weblog.infoworld.com/zeroday/archives/2007/ 04/google_adwords.html

Who bought the ads?

[AlHunt]

Wouldn't it be easy for Google to track the virus writers by who paid for the search terms?

Re:Who bought the ads?

[Strange+Ranger]

Well...

1st - it's not a virus, it's a browser exploit.

2nd - what's the point of tracking somebody down in Nigeria or Kazakhstan?

and more importantly

3rd - One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions.
At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick.

Re:Who bought the ads?

[jfengel]

In all likelihood they're being paid for with stolen credit cards. You'd do just as well to track down whoever is hosting the site, but then, the site is likely hacked and/or paid for with a stolen credit card.

I'd love to believe that the FBI is out there tracking down anybody dumb enough to pay for these with their own money, or at least tying this crime to somebody whom they catch in possession of the stolen credit cards. I'm also pretty sure that the reason my boss wants to talk to me privately in his office is to give me a pony.

Re:Who bought the ads?

"1st - it's not a virus, it's a browser exploit."

1.1 It is a Microsoft browser exploit.

Let's not user generic terms here.

Re:Who bought the ads?

"3. One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions. At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick."

I noticed the other day that one of my search results included a note about a particular link being potentially "unsafe" -- presumably because there were signs that the content at the other end contained exploit code of some kind, or some malware. It said "Warning -- the site you are about to visit may harm your computer!"

Obviously they need to do the same thing for their advertisers!

Re:Who bought the ads?

[Paradise+Pete]

3rd - One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions.

The whole thing is automated. If a human had to review every ad, clicks would cost a hell of a lot more than the buck or two they do now. Also right now I can change my ads anytime of the day or night and have them immediately go into effect, instead of waiting for human approval.

Re:Who bought the ads?

Wouldn't it be easy for Google to track the virus writers by who paid for the search terms?

I am sure they used their own credit cards. By the way; FTA:

They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau.

The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft's Internet Explorer Web browser, a problem that the company issued a patch to fix last June.

I believe that this would include theft of credit card information.

Re:Who bought the ads?

Like I said above.. if you can't do an ad for kiddie pron....

There are other ways to police than for humans to scan every link.

Re:Who bought the ads?

[Paradise+Pete]

There are other ways to police than for humans to scan every link.

They can scan for words. It's pretty tough to scan for a malicious active-x control. And I'm sure you could put up an ad that lead to kiddie porn and have it work for a while.

Re:Who bought the ads?

[mike2R]

This appears to be being done through hacked adwords accounts.

copy link location, paste into text editor

[fyoder]

right click on ad, copy link location, paste into a text editor

http://pagead2.googlesyndication.com/pagead/iclk?s a=l&ai=BW4xM7-YvRqmJJaLImQTP6dXxApyVrB3A-Je9AsCNtw Gw4y0QAhgCILv-mQYoAjAAOABQ7aSR7P7_____AWD9mPuAzAOY AdO60RCyASJvZmludGVyZXN0LmJpbmFyeS1lbnZpcm9ubWVudH MuY29tugEJNDY4eDYwX2FzyAEB2gEqaHR0cDovL29maW50ZXJl c3QuYmluYXJ5LWVudmlyb25tZW50cy5jb20vqQKZ6jUcO-etPs gCnM3vAagDAcgDBw&num=2&ggladgrp=326118280&gglcreat =574052020&adurl=http://www.apple.com/ca/getamac/a ds/index.html%3Fcid%3DWWW-AMCA-GETAMACK060307-GROB 1&client=ca-pub-0841007318749811&nm=4

look for: adurl=http://whatever

Handy for finding ad urls when you don't want to click on them because they're on your own site because clicking on your own ads is against google's terms. Bit of a pain, but the information is in there if you want to dig it out.

Re:copy link location, paste into text editor

I smell a browser extension.

Re:copy link location, paste into text editor

Maybe you shouldn't post a URL with a ton of encoded material. As far as we can tell it could contain your name, your credit-card number, your SSN, your mother maiden name, and say that you've looked at animal porn yesterday.

Re:copy link location, paste into text editor

[Strange+Ranger]

Holy jumping Jesus on a pogo stick!
No offense but if right clicking and copying and pasting a link location is +5 informative, then this must be a phishing site. Where did the real slashdot go?

Re:copy link location, paste into text editor

[UNFAIRMAN]

Firefox users (at least in Windows) can use Greasemonkey with this script
http://userscripts.org/scripts/show/8346
along with McAfee's SiteAdvisor to see a red/yellow/green icon next to all Google ad links.
Its not the best Greasemonkey script, but it gets the job done.

Re:copy link location, paste into text editor

[cultrhetor]

I smell a browser extension Sorry. My fox farted.

Re:copy link location, paste into text editor

[hazem]

You must be thinking of this one:

CustomizeGoogle https://addons.mozilla.org/en-US/firefox/addon/743

Re:copy link location, paste into text editor

[dotgain]

As far as we can tell it could contain your name, your credit-card number, your SSN, your mother maiden name, and say that you've looked at animal porn yesterday.

Ahem:
c3QuYmluYXJ5LWVudmlyb25tZW50cy5jb20vqQKZ6jUcO
Come on, any fool can tell he's into watersports.

Re:copy link location, paste into text editor

[vuffi_raa]

there's no way that anyone could know that I was looking @ animal porn or when http://www.beastialityrulez.com/cgi-bin/animalporn ?time=04242007_0500

Re:copy link location, paste into text editor

>>I smell a browser extension
>
>Sorry. My fox farted.

Do it again!

(lights match)

Fire! Get it? Fire. Fox.

I'll be here all week. After all, I live in my parents' basement.

Re:copy link location, paste into text editor

[Andrewkov]

You should change your password, your account may already be compromised!

NoScript helps

[bill_mcgonigle]

Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.

Google is doing something bad here - disabling a browser security feature with JavaScript (why? - that was fashionable a decade ago...). Firefox users can install NoScript to prevent this kind of chicanery. I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.

(yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)

Re:NoScript helps

[Qzukk]

(yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)

In SeaMonkey, it's:

dom.disable_window_open_feature.status true keeps new windows from being opened without the status bar
dom.disable_window_status_change true keeps the current window statusbar from being changed.

The latter is available under prefs - advaned - scripts and plugins.

Re:NoScript helps

[Strange+Ranger]

I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.

It does:

Tools|Options| Click the Advanced button that is next to the checked box to enable JavaScript| Uncheck the box to Allow JavaScript to Change status bar text.

Re:NoScript helps

[HomelessInLaJolla]

Why would Google block the most obvious auditing tool for users to at least have some idea of where a click is taking them?

Why would Gmail make no effort to identify where a sent e-mail is received from (no X-Originating-IP or HTTP received from)?

Why would Google (probably) put a whole bunch of referential material, potentially at odds with common personal privacy policies, in web ad links?

Inquiring minds...

Re:NoScript helps

[bill_mcgonigle]

It does:

Tools|Options| Click the Advanced button that is next to the checked box to enable JavaScript| Uncheck the box to Allow JavaScript to Change status bar text.

Very interesting - on mine it's under Preferences, Content, Javascript, Advanced, but disallowing it there doesn't stop Google. Perhaps my NoScript permit rule is preempting Firefox's.

Re:NoScript helps

Status is left blank because the URL is roughly 500 chars long when all of the tracking information for the ad is taken into account... it looks like junk just filled the bottom of the screen. And having javascript replace Google's redirection URL with the URL that's being redirected to is pointless as well because most companies use their own tracking URLs that are equally cryptic and scary to the average person. I'm sure there are other reasons as well.

Re:NoScript helps

[damium]

It doesn't help to deny changing the status bar text. The way google manages this is by rewriting the link on a mousedown event. So, it starts out going to the proper place, but when you click or right-click it is re-written to go to the redirect link. Ad links are a bit different in that the container of the ad prevents the status bar from changing by overwriting the normal mouseover event.

Check out any search link on Google. Mouse over. See the text? Now right click on the link. See the new redirection status text (in firefox only, IE will still show the normal link)? This can be done with any link using the proper javascript.

It is actually quite clever scripting. One advantage is that without javascript you still get the proper search results.

Re:NoScript helps

[Kalriath]

Internet Explorer has a similar one:

Tools > Internet Options > Security > Custom Level > (Scroll down to) Scripting > Allow status bar updates via script.

(Im out of breath after quoting THAT maze)

Re:NoScript helps

google does a lot of ... things like that. Gmail uses javscript links (disabling my precious "open link in new tab"). I tried using google base a couple days ago and was frustrated to find the use onclick events. Instead of opening an interesting link in a new tab, I have to go there, then brose back (which ruins the previous search).

Re:NoScript helps

[larry+bagina]

That's wrong. When you click (or left click) on a google adword link, the url appears in firefox's status bar temporarily. If you hover over an adword in gmail, you can see the url. (Evidently they forgot to hide it in gmail). Google is intentionally hiding the link with an onmouseover event.

Re:NoScript helps

[Andrewkov]

I don't click on links when I don't know where they go. Slashdot and goatse.cx cured me of that many years ago.

Who cares?

[Rix]

Internet Explorer has always been insecure. Anyone who uses it accepts that their system is essential public property.

Re:Who cares?

basically this applies to firefox, nutscrape and all other browsers equally. This time they picked ie (cause suprise suprise it is the bigger target). But what they used are patched vulnerabilities and relied on people not updating. Do you really think this problem does not exist for other browsers. Perhaps you should have a look at some web server logs, not patching browsers is a problem for all versions. Hell I still see firefox pre 1.0 betas being used when accessing some of my web servers. using a non IE browser here offers ZERO additional protection.

Opera helps

[Rui+del-Negro]

The links appear just fine in Opera, with no need for plug-ins or to disable JavaScript.

Re:Opera helps

[cultrhetor]

That's how we Opera users roll (after we get used to the awkward interface).

Re:Opera helps

[Rui+del-Negro]

I don't find the interface awkward at all. That might be because I've been using it since version 4 but what I see is the other browsers copying Opera's interface and features, not the other way around.

Re:Opera helps

Doesn't look offtopic to me. In fact, I suspect this is yet another Opera feature that will be copied by Firefox (and eventually by MSIE) in the future. I guess the FF fanbois just troll Slashdot looking for posts that point out other products' superiority, and try to mod them down...

Why?

[Rix]

One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions.
At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick. Why would google need to police their sponsored links? The worst that could be done to an unwilling mark is to pop up goatse, but that wouldn't make them much money.

If you choose to use a known insecure browser, the results are entirely your responsibility. You may as well be chastising the highway patrol for not checking everyone's break lines.

Re:Why?

Nope. Money management companies have to check various long lists for every new client to make sure they're not taking money from known crooks.

If google is going to make money from it, they should also be doing it responsibly. I bet you can't get a sponsored link to child porn.

The worst that could be done to an unwilling mark is to pop up goatse
Did you even read the intro at the top? Or did you somehow skip straight to this comment?

If you choose to use a known insecure browser, the results are entirely your responsibility.
^Typical slashdot mouthbreather bullsh*t. As in, tell that to your aunt, and grandpa, and 14 year old kid next door.

Re:Why?

[Supergibbs]

If google is going to make money from it, they should also be doing it responsibly. I bet you can't get a sponsored link to child porn. The official policy is no porn at all...and a few other things are not allowed either. It looks as if they have an ethical stance, they just need to enforce it.

Better Business Bureau

[b.b.rodriguez]

Why did the 'virus' writers target these keywords??
FTA:

"BBB," "BBBonline" or "Cars.com"

They could have surely got better returns for the obvious p0rn keywords?

Re:Better Business Bureau

[martinX]

Perhaps pr0n seekers, as a group, are more net savvy these days precisely because so much has been targeted at them. The new set of n00bs are the ones looking for the Better Business Bureau etc. Just a guess.

Re:Better Business Bureau

[Jude+T.+Obscure]

I thought it was a clever way of exploiting the fact that people may well trust adverts "selected by Google" as suitable accompaniment to the Better Business Bureau. It's strange the associations some people make (including me, obviously).

I've always wondered

[CrazyJim1]

How long until someone makes an ad that buffer overflows IE. There are probably many out there, but it could be an actual internet attack if it also used Google's ad service.

Re:I've always wondered

I don't remember where but there are already plenty of examples of advertisements which have made use of exploits. One was on the IRSSI page several years ago when the home page used banner ads. I don't remember how bad it was or what the author did when he found out about it other than notifying the users and deleting the offending ad.

Well sorry to say

[Ilgaz]

Google had this coming for a long time. I know it will make some people mad but that "thing" they call Adwords must immediately change. They pay users like Amazon for filtering or do some advanced Ajax tricks, it is their choice.

I am actually seeing spyware/grayware vendors advertising on Adwords and I am using Safari OSX, I am not at their target audience even. I can't imagine stuff actual target audience (IE users) get. These are the very same people who claims random rivals products "badware" just because poor thing tried to check for updates.

They recently banned site of Jim Mitchell, a well known/popular OS X support engineer/developers page claiming he is playing some games with their advertising platform, polite way of saying guy is thief. It turns out, there are spammers featuring copies of popular blogs making money from them.

http://jimmitchell.org/2007/03/08/is-google-adsens e-really-fair/

I go nuts when my frequently used tiny usenet group is spammed by spammers using Google groups with Google Mail (verified,real) address, when I head to pirate site to report them, I notice their one and only income is? Google Ads!

So now actual Virus linked? Not big deal at all. Hope it would make them THINK and learn from a company thinking they can do anything and it won't harm them in 1990s.

One last thing, if you are on a secure platform, go check http://zlashdot.org/ , yes "Typosquatting", lowest form of online mafia. See the search bar on top? See the advertising provider? End of discussion :)

It's not the browser, it's at Google's end.

[Animats]

It's worse than that. The URL Google displays for the link is, of course, not the actual link; the actual link goes to Google so they can log the click-through. But the link to Google may in fact cause redirection to a completely different third-party domain, usually some ad broker who is doing arbitrage on the click-through.

Here's an example, obtained by searching Google for "mortgage rates". This is a direct Google result from Google's home page.

<font size=+0>
<a id=an4 href=/url?sa=L&ai=BMHn-CuwvRs7QLpOYgQO0vMmWBoO9jRX zgpWxAvvb3gfg3X0QBBgHKAg4AFDj9Mzv_v____8BYMn2-IbIo 6AZyAEByAL77xXZAw3PC8TgQncC&num=7&ggladgrp=2585635 35&gglcreat=543052995&q=http://pixel-user-1042.eve resttech.net/1042/rq/3/543052995_mortgage%2520rate s_s/url%3Dhttp%253A//www.lendingtree.com/stm3/offe rs/marketpromov34.asp%253Fpromo%253D00224%2526loan _type%253D1%2526esourceid%253D835910%2526source%25 3D835910%2526EF%253D1%2526partner%253DGoogle%25268 00num%253D800-460-8109%2526adtype%253D1&usg=AFrqEz f58V3yFBM0ywyFkKryLzAMqmIWRQ><b>Mortgage</b> Rate Offers</a>
</font><br>
$400,000 for Only $1,334/Month!<br>
Refinance Now, Offers in Minutes.<br>
<span class=a>www.LendingTree.com</span><br>
<br>

Note that field coded into the URL on the A tag: q="http://pixel-user-1042.everesttech.net". That's where Google is going to send you. Not to Lending Tree, but to EverestTech.net. Who's "Everesttech.net? An ad broker, or as they put it, "the leader in Search Engine Marketing".

This creates a new attack vector. The Google ad often shows the name of some well-known business, but actually takes you to some place you never heard of. That gives the third party an opportunity to try browser-based attacks.

This isn't just theoretical; it's in the wild. See this article on Webmaster World: " I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program."

It's not clear how to deal with this. The example above is from Google's main site, not "adwords.google.com".

Re:It's not the browser, it's at Google's end.

[Animats]

There's more. Definitely read the blog section at Webmaster World linked above, which is being updated rapidly. Apparently it really is a virus. "It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account." The pay per click people are panicking, because they're billed by Google for the ads. "The daily budget was increased to a number that would have produced a 7 figure Monthly payout." The details of exactly how this all works are still sketchy, though. Here's an early technical analysis.

It just hit the mainstream press, in the Washington Post

Re:It's not the browser, it's at Google's end.

[cottagetrees]

No, what the Washington Post was reporting wasn't a virus. It was an exploit that attempted to install a driveby downloaded keylogger. What you're seeing at Webmaster World is interesting, but probably unrelated.

Re:It's not the browser, it's at Google's end.

[mike2R]

It is related in the sense that it is presumably the hacked Adwords accounts that are being used to serve the ads to malware sites.

Re:It's not the browser, it's at Google's end.

In this case, the Google Adwords accounts weren't hacked. The bad guys opened their own Adwords Accounts and ran ads that leveraged the trust and goodwill of other brands. Their ads looked like they were from Allbusiness.com or the BBB, but they weren't.

Re:It's not the browser, it's at Google's end.

I'm one of the founders of Efficient Frontier (formerly known as Everest Tech). Our customers come to us to manage their advertising spend on Google, Yahoo etc. We are indeed the leaders in search engine marketing. We are not an arbitrageur making money on the click through. Nor as the poster above has speculated are we some third party hijacking clicks that purport to be sending you to lendingtree. When you click on the ad, you actually end up on lendingtree. You don't end up on our website or anybody else's website. When the ad says lendingtree, you will in fact land on lendingtree's website. It's not just our ethics that demand this, it is Google's policy.

Thanks for your time.

Anand Ranganathan
Founder, Efficient Frontier

Adwords accounts are being hijacked as well

[jtara]

Approximately concurrently with this, some Adwords advertisers have discovered that their accounts have been hijacked using a similar technique. Ads that they did not write were added.

Oddly, in at least one case the hijacker added their OWN credit card information to the account to pay for the ads! (Perhaps to try to avoid detection when the advertiser's credit card bill arrives.)

There are some first-person accounts by advertisers at WebmasterWorld:

http://www.webmasterworld.com/google_adwords/33200 21.htm#msg3321934

Re:Adwords accounts are being hijacked as well

How many times are you going to keep reposting this same comment?

Re:Adwords accounts are being hijacked as well

[jtara]

Well, *I* only posted it once. I do see now that somebody else already posted about it, but in a comment that was primarily about URL display. Sorry, I hadn't noticed the previous comment at the time that I posted.

But I think the fact that advertiser accounts are being hacked as part of this attack is important enough to merit it's own comment thread, in any case.

Wha?

Google had this coming for a long time.

You're saying that it's Google's fault that IE has security issues? What color is the sky in your world?

Great...

[OriginalSpaceMan]

Now Google is going to jack up their search price to compensate for all the people that won't click on their ads... what are we thinking here... $2 per search? Maybe they'll do a bargain deal. $10/day of unlimited searching?

Unpatched IE Installations...

Because people that are running unpatched IE installations are totally checking the status bar every time they click a link to see if it's legit.

Thats a great idea

[patio11]

They should send a SWAT team to bust down the door of a guy who steals identities for a living. No POSSIBLE downside there.

done

[Fred+Ferrigno]

It's called Redirect Remover.

Re:Lets talk about Firefox fucktards...

[Grishnakh]

Link, please? I'd be interested in reading about these exploits.

Washington Post didn't get it quite right

[cottagetrees]

The story isn't about viruses. It's about exploits. See the blog post from the security researcher at Exploit Prevention Labs who discovered this: http://explabs.blogspot.com/2007/04/google-sponsor ed-links-not-safe.html The technology is out there for Google to prevent this.

ARTICLE TEXT

Virus Writers Taint Google Ad Links

Virus writers have been gaming Google's "sponsored links" -- the paid ads shown alongside search engine results. They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau.

Sponsored links allow customers to buy advertisements attached to a particular search term. When a Google user enters a term into the firm's search engine, the ad belonging to the advertiser that bid the highest price for that search term appears at the top of the list of search results.

According to a report at Exploit Prevention Labs, while the top sponsored links that showed up earlier this week when users searched for "BBB," "BBBonline" or "Cars.com" appeared to direct visitors to those sites, they initially would route people who clicked on the ads through an intermediate site. The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft's Internet Explorer Web browser, a problem that the company issued a patch to fix last June.

As Exploit Labs's Roger Thompson notes in his blog, the bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.

According to Thompson, Google has taken down the offending sponsored links. In fact, searching for "betterbusinessbureau" in Google no longer turns up any sponsored links at the moment.

This certainly is not the first time virus writers have used ads to spawn their wares. Last summer, Security Fix discovered that more than a million Windows users had been infected with spyware thanks to a malicious banner advertisement shown for several days on high-traffic sites like MySpace.com and Webshots.com.

And again, another good reason

[pair-a-noyd]

to boycott and block google, doublecrook and any related sites.
Smoothwall + adzapper = happy days!

I disallow anything related to google on my lan.
No machine on my lan can access anything that google owns, operates, controls, manipulates, etc..

Google = EVIL..

yes, but....

Linux here, and using a moz browser, seamonkey. You still get the "nosee'um" effect with the adsense links. JS "blackhole, are ya feelin lucky?" nonsense. They should ALWAYS show up with a hover, any OS, any browser. That they don't is a security issue, fullstop.

slashdot's comments do it too

[philo_enyce]

ever notice that the new slashdot site now does the same thing to urls listed in the comments sections? what's the justification? i can't think of a single reason why they shouldn't show the link when you hover.

philo

How to filter Google AdWords

[Animats]

Browser toolbars like AdBlock and other security tools probably now need to filter AdWords. Something like this would work:

• When a link to a Google AdWords site is found in an HTML "a" tag, extract the "q" and "adurl" fields from the URL. Extract the base domain (i.e. www.example.com => example.com) from whichever of those fields is present.
• Extract the text within the A tag. Strip blanks and convert to lower case. Extract the base domain from that.
• If they don't match, the ad doesn't go where it says it does. Make it un-clickable.

Do all this at the DOM level, so any Javascript that creates ad entries is evaluated before filtering.

With this, legitimate AdWords will work, but ones that redirect through other questionable sites won't. This may interfere with some brokered ads, but from an consumer perspective, you probably didn't want to go there anyway.

Re:How to filter Google AdWords

[jtara]

With this, legitimate AdWords will work, but ones that redirect through other questionable sites won't

Won't work. Almost ALL Adwords ads redirect through some tracking service. In some cases, an ad may redirect through SEVERAL tracking sites.

I'm sure Google would love it, though, it advertisers were forced to use THEIR tracking service...

Google does insure that the final destination page (which Google calls a "landing page") matches the domain name displayed in the "short URL" in the ad. (The ad doesn't have to display the full destination URL. The "display URL" typically is the merchant's home page or a section header page.) In my experience, though, they are somewhat lax on this, and new ads may run several days until Google catches a mismatch.

Google does some degree of exploit checking on landing pages. Dunno if they do this on intermediate tracking URLs. Google doesn't permit intermediate tracking URLs to display any content, and perhaps they thought that this made them safe.

Re:How to filter Google AdWords

[Animats]

That's going to be a problem. Now that there's an attack which works through redirects, the ad-tracking industry may have to stop using them, or Google may have to limit them to "trusted third parties". (DoubleClick?) Probably wouldn't bother Google if they had to enforce that rule for security reasons.

Right now, Google seems to claim that the destination URL and landing URL should be the same, so AdWords users can't really complain if they start enforcing that rule.

It's useful to examine those redirects. On searches for very general terms like "mortgage", almost all the links go through some pay-per-click service. But search for, say, "servomotor", and the landing pages are the real site. The ones that redirect through some pay-per-click service are generally less useful; they're basically spam. You don't want to go there anyway. Filtering out those would be no great loss from a consumer perspective.

Doesn't this make the virus writers pay?

[tlhIngan]

Maybe I'm missing something here, but it seems that if these virus/worm/malware writers are buying Google Ads, then they're paying for the links.

Shouldn't it be possible then to do these searches, find out which ones lead to the virus, and just click from a safe browser? Surely it's possible to cost these people tons of money (to pay Google), and no returns (because no one gets infected)? Or at the very least, we'll end up hitting their click limit and their ads don't show anymore.

If it happens to be a hacked Google account, well, then maybe the owners will secure their site better (a third party hacked site distributing malware is just as bad)? At least it will get them off the rotation earlier so maybe they'd get a clue why their account needs money but there's no follow-through.

Firefox + NoScript

[Mathinker]

> Who wants to bet that you can't click on a google Ad-Sense link w/o javascript turned on.

Well, yes, you won't see the link without Javascript enabled for the website displaying the ads. But if you use Firefox + NoScript, you can have Javascript enabled only for that website, so you can click on the link (relatively) safely.

I do it all the time when I see an interesting ad from trusted websites, in order to generate a little income for them. I'd say >95% of the pages I arrive at don't work properly since Javascript and Flash aren't enabled for them when I arrive there, and I never enable Javascript or Flash for them just to see advertising.

Re:Firefox + NoScript

[Mathinker]

> you can have Javascript enabled only for that website

Ouch, I meant enabled for the Google Ad-Sense site (or maybe both). Anyway, if you read it, you probably understood...

Whole new meaning

[Myria]

I guess this gives a whole new meaning to "I'm Feeling Lucky".

Er...

[aiken_d]

So people who are newbiesque enough to run old versions of IE are likely to look at the status bar and mentally parse the URL before clicking on a link?

-b

And...

[PaulBu]

... can I get some of the search terms you were typing in? ;-)

Paul B.

errr? News from 1997?

[Tom]

And here I was thinking that the fact that a tiny bit of javascript can put anything you want into the status bar when you hover over a link were common knowledge, and has been for at least 10 years.

No extension needed

[Arker]

I tried to make this click and drag but slashdot won't allow it. Anyway, make a new button on your bookmarks bar and set the "location" field to the following:

javascript:(function(){var k,x,t,i,j,p; for(k=0;x=document.links[k];k++){t=x.href.replace( /[%]3A/ig,':').replace(/[%]2f/ig,'/');i=t.lastInde xOf('http');if(i>0){ t=t.substring(i); j=t.indexOf('&'); if(j>0)t=t.substring(0,j); p=/https?\:\/\/[^\s]*[^.,;'%22>\s\)\]]/.exec(unesc ape(t)); if(p) x.href=p[0]; } else if (x.onmouseover&&x.onmouseout){x.onmouseover(); if (window.status && window.status.indexOf('://')!=-1)x.href=window.sta tus; x.onmouseout(); } x.onmouseover=null; x.onmouseout=null; }})();

Works great. Firefox still doesn't show the location of sponsored ads on mouseover though, with redirects removed or not. What I'd like to see is a patch for that.

Firefox is so great...

So yeah in 2006 IE had 38 new bugs and firefox had 47 new bugs.

they're also targeting more popular brands

[VaXXi]

Try a search for "Skype" on Google. You'll get a sponsored link with the following text:

Skype Official Site www.skype.com Download Latest Software Free Now! Free Unlimited Calls Today.

Safari on Mac OS X doesn't obey Google's javascript trick, and the full link is shown in the status bar (you need to make Safari display the status bar by choosing View / Show status bar). You'll get this link:

http://www.google.com/url?sa=L&ai=BM0_5JpAwRvmgK5n 4nAOQ7NSEBpyS8B3k6Y77BqrdzTuQTggAEAEYASC5VDgBUIfPl u0HYIMFmAHPlwOqAQJlbsgBAcgCyJPxAdkDi2-sFlTdzu4&q=h ttp://www.tkqlhce.com/fc81tenkem13635578132644864% 3Fsid&usg=AFrqEzemKMPDCiKePQKhd-4pdmR_VmzZOQ

Notice the deceiving site, specifically the "tkqlhce" in the addres bar. Pretty tricky to detect. Black ball for Google on this.

Zero tolerance for hackers

[xclaim]

How can we continue to 'accept' hackers without focusing on what we really want - a hacked-free internet.

It seems to me that when someone, or some group of someones, makes it their 'business' to do something illicit regarding tampering with software systems we would express outrage and make every attempt to find - and punish - this someone (or group). Period!

Rather than say "oh well" and "that's someone else's problem", why not insist on hacked-free systems?

A Suggestion: Developers could place a signature code, including a bit-digitalized indicator of their untampered-with software, in every program they sell. Altering this signature would indicate fraud, a hack, and render the product untrustworthy. I don't know what the answer is, but I know what the attitude should be - zero tolerance for hackers!

Re:Zero tolerance for hackers

Moron

About time

[RalphTheWonderLlama]

I always hated that they didn't show the link on hover. That's just not nice. Another thing I hate is that for some Google ads, a huge amount of whitespace around it is also the ad link. I click on them sometimes when I'm trying to click empty space. That's just more deception there. If they want to be the nice guy company they supposedly are they shouldn't deceive users like that. Maybe this will convince them to change a bit.