Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Writers Target Google's Sponsored Links

Posted by samzenpus on from the snake-in-the-grass dept.

An anonymous reader writes "It looks like the bad guys are gaming Google's sponsored links to spread their junk to people who click on the ads with unpatched versions of Internet Explorer. Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes this was bound to happen, given the way Google structures sponsored links: "The bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.""

12 of 115 comments (clear)

  1. In No Way Is This A Virus by QuantumG · · Score: 5, Informative

    I really wish people would put even a bit of effort into using the term correctly.

    Hell, this isn't even a Worm! It's just exploiting a browser bug to steal passwords.

    Yawn.

    Don't use Internet Explorer.

    --
    How we know is more important than what we know.
  2. copy link location, paste into text editor by fyoder · · Score: 5, Informative

    right click on ad, copy link location, paste into a text editor

    http://pagead2.googlesyndication.com/pagead/iclk?s a=l&ai=BW4xM7-YvRqmJJaLImQTP6dXxApyVrB3A-Je9AsCNtw Gw4y0QAhgCILv-mQYoAjAAOABQ7aSR7P7_____AWD9mPuAzAOY AdO60RCyASJvZmludGVyZXN0LmJpbmFyeS1lbnZpcm9ubWVudH MuY29tugEJNDY4eDYwX2FzyAEB2gEqaHR0cDovL29maW50ZXJl c3QuYmluYXJ5LWVudmlyb25tZW50cy5jb20vqQKZ6jUcO-etPs gCnM3vAagDAcgDBw&num=2&ggladgrp=326118280&gglcreat =574052020&adurl=http://www.apple.com/ca/getamac/a ds/index.html%3Fcid%3DWWW-AMCA-GETAMACK060307-GROB 1&client=ca-pub-0841007318749811&nm=4

    look for: adurl=http://whatever

    Handy for finding ad urls when you don't want to click on them because they're on your own site because clicking on your own ads is against google's terms. Bit of a pain, but the information is in there if you want to dig it out.
    --
    Loose lips lose spit.
  3. Re:Screen? by CannonballHead · · Score: 3, Informative

    How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?

    In my experience with AdWords, there are four lines of text to fill, and one URL. The first one is the "title" and is linked to a url you provide. The next two lines are just text. The last line is supposed to be part of the url, or something related to it in some way... but you can have "hello.org" displayed but actually link to "hello.org/visitorfromadwords.html"

    There isn't really a "template."

  4. Re:OOPS by Anonymous Coward · · Score: 2, Informative

    Well, not being able to click on them isn't really the problem. Adsense ads rely on JS to be displayed in the first place. I'm not sure about the sponsored links, though. I doubt that those rely on any JS to be displayed, or even to be clicked on... just redirects for counting purposes.

  5. Re:NoScript helps by Qzukk · · Score: 2, Informative

    (yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)

    In SeaMonkey, it's:

    dom.disable_window_open_feature.status true keeps new windows from being opened without the status bar
    dom.disable_window_status_change true keeps the current window statusbar from being changed.

    The latter is available under prefs - advaned - scripts and plugins.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  6. Re:NoScript helps by Strange+Ranger · · Score: 2, Informative

    I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.

    It does:

    Tools|Options| Click the Advanced button that is next to the checked box to enable JavaScript| Uncheck the box to Allow JavaScript to Change status bar text.

    --

    Operator, give me the number for 911!
  7. It's not the browser, it's at Google's end. by Animats · · Score: 4, Informative

    It's worse than that. The URL Google displays for the link is, of course, not the actual link; the actual link goes to Google so they can log the click-through. But the link to Google may in fact cause redirection to a completely different third-party domain, usually some ad broker who is doing arbitrage on the click-through.

    Here's an example, obtained by searching Google for "mortgage rates". This is a direct Google result from Google's home page.

    <font size=+0>
    <a id=an4 href=/url?sa=L&ai=BMHn-CuwvRs7QLpOYgQO0vMmWBoO9jRX zgpWxAvvb3gfg3X0QBBgHKAg4AFDj9Mzv_v____8BYMn2-IbIo 6AZyAEByAL77xXZAw3PC8TgQncC&num=7&ggladgrp=2585635 35&gglcreat=543052995&q=http://pixel-user-1042.eve resttech.net/1042/rq/3/543052995_mortgage%2520rate s_s/url%3Dhttp%253A//www.lendingtree.com/stm3/offe rs/marketpromov34.asp%253Fpromo%253D00224%2526loan _type%253D1%2526esourceid%253D835910%2526source%25 3D835910%2526EF%253D1%2526partner%253DGoogle%25268 00num%253D800-460-8109%2526adtype%253D1&usg=AFrqEz f58V3yFBM0ywyFkKryLzAMqmIWRQ><b>Mortgage</b> Rate Offers</a>
    </font><br>
    $400,000 for Only $1,334/Month!<br>
    Refinance Now, Offers in Minutes.<br>
    <span class=a>www.LendingTree.com</span><br>
    <br>

    Note that field coded into the URL on the A tag: q="http://pixel-user-1042.everesttech.net". That's where Google is going to send you. Not to Lending Tree, but to EverestTech.net. Who's "Everesttech.net? An ad broker, or as they put it, "the leader in Search Engine Marketing".

    This creates a new attack vector. The Google ad often shows the name of some well-known business, but actually takes you to some place you never heard of. That gives the third party an opportunity to try browser-based attacks.

    This isn't just theoretical; it's in the wild. See this article on Webmaster World: " I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program."

    It's not clear how to deal with this. The example above is from Google's main site, not "adwords.google.com".

    1. Re:It's not the browser, it's at Google's end. by Animats · · Score: 4, Informative

      There's more. Definitely read the blog section at Webmaster World linked above, which is being updated rapidly. Apparently it really is a virus. "It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account." The pay per click people are panicking, because they're billed by Google for the ads. "The daily budget was increased to a number that would have produced a 7 figure Monthly payout." The details of exactly how this all works are still sketchy, though. Here's an early technical analysis.

      It just hit the mainstream press, in the Washington Post

  8. done by Fred+Ferrigno · · Score: 3, Informative

    It's called Redirect Remover.

  9. Re:NoScript helps by damium · · Score: 3, Informative

    It doesn't help to deny changing the status bar text. The way google manages this is by rewriting the link on a mousedown event. So, it starts out going to the proper place, but when you click or right-click it is re-written to go to the redirect link. Ad links are a bit different in that the container of the ad prevents the status bar from changing by overwriting the normal mouseover event.

    Check out any search link on Google. Mouse over. See the text? Now right click on the link. See the new redirection status text (in firefox only, IE will still show the normal link)? This can be done with any link using the proper javascript.

    It is actually quite clever scripting. One advantage is that without javascript you still get the proper search results.

  10. Re:NoScript helps by Kalriath · · Score: 2, Informative

    Internet Explorer has a similar one:

    Tools > Internet Options > Security > Custom Level > (Scroll down to) Scripting > Allow status bar updates via script.

    (Im out of breath after quoting THAT maze)

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  11. Firefox + NoScript by Mathinker · · Score: 2, Informative

    > Who wants to bet that you can't click on a google Ad-Sense link w/o javascript turned on.

    Well, yes, you won't see the link without Javascript enabled for the website displaying the ads. But if you use Firefox + NoScript, you can have Javascript enabled only for that website, so you can click on the link (relatively) safely.

    I do it all the time when I see an interesting ad from trusted websites, in order to generate a little income for them. I'd say >95% of the pages I arrive at don't work properly since Javascript and Flash aren't enabled for them when I arrive there, and I never enable Javascript or Flash for them just to see advertising.