Virus Writers Target Google's Sponsored Links

An anonymous reader writes "It looks like the bad guys are gaming Google's sponsored links to spread their junk to people who click on the ads with unpatched versions of Internet Explorer. Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes this was bound to happen, given the way Google structures sponsored links: "The bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.""

Screen?

[HomelessInLaJolla]

How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?

What's the procedure for selecting which particular ad a user will see? I imagine it's a little more complex than a completely random selection from one massive repository.

Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date? Or is this a case of some malicious organizations actually hacking Google code?

There's a datestamp on nearly everything and I'm sure someone has network activity records someplace.

Re:Screen?

[lintux]

> Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date?

Definitely. But the problem here is that the malicious person can change the contents of the website any time he/she wants. When placing the ad, put something normal there. Once the ad is live, put your malware there. After a few hours the ad will probably be dead ... but I'm afraid there are ways around that too.

Re:copy link location, paste into text editor

I smell a browser extension.

Re:Who bought the ads?

[Strange+Ranger]

Well...

1st - it's not a virus, it's a browser exploit.

2nd - what's the point of tracking somebody down in Nigeria or Kazakhstan?

and more importantly

3rd - One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions.
At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick.

Well sorry to say

[Ilgaz]

Google had this coming for a long time. I know it will make some people mad but that "thing" they call Adwords must immediately change. They pay users like Amazon for filtering or do some advanced Ajax tricks, it is their choice.

I am actually seeing spyware/grayware vendors advertising on Adwords and I am using Safari OSX, I am not at their target audience even. I can't imagine stuff actual target audience (IE users) get. These are the very same people who claims random rivals products "badware" just because poor thing tried to check for updates.

They recently banned site of Jim Mitchell, a well known/popular OS X support engineer/developers page claiming he is playing some games with their advertising platform, polite way of saying guy is thief. It turns out, there are spammers featuring copies of popular blogs making money from them.

http://jimmitchell.org/2007/03/08/is-google-adsens e-really-fair/

I go nuts when my frequently used tiny usenet group is spammed by spammers using Google groups with Google Mail (verified,real) address, when I head to pirate site to report them, I notice their one and only income is? Google Ads!

So now actual Virus linked? Not big deal at all. Hope it would make them THINK and learn from a company thinking they can do anything and it won't harm them in 1990s.

One last thing, if you are on a secure platform, go check http://zlashdot.org/ , yes "Typosquatting", lowest form of online mafia. See the search bar on top? See the advertising provider? End of discussion :)

Re:copy link location, paste into text editor

[UNFAIRMAN]

Firefox users (at least in Windows) can use Greasemonkey with this script
http://userscripts.org/scripts/show/8346
along with McAfee's SiteAdvisor to see a red/yellow/green icon next to all Google ad links.
Its not the best Greasemonkey script, but it gets the job done.

Adwords accounts are being hijacked as well

[jtara]

Approximately concurrently with this, some Adwords advertisers have discovered that their accounts have been hijacked using a similar technique. Ads that they did not write were added.

Oddly, in at least one case the hijacker added their OWN credit card information to the account to pay for the ads! (Perhaps to try to avoid detection when the advertiser's credit card bill arrives.)

There are some first-person accounts by advertisers at WebmasterWorld:

http://www.webmasterworld.com/google_adwords/33200 21.htm#msg3321934

Re:NoScript helps

[bill_mcgonigle]

It does:

Tools|Options| Click the Advanced button that is next to the checked box to enable JavaScript| Uncheck the box to Allow JavaScript to Change status bar text.

Very interesting - on mine it's under Preferences, Content, Javascript, Advanced, but disallowing it there doesn't stop Google. Perhaps my NoScript permit rule is preempting Firefox's.

Re:It's not the browser, it's at Google's end.

[cottagetrees]

No, what the Washington Post was reporting wasn't a virus. It was an exploit that attempted to install a driveby downloaded keylogger. What you're seeing at Webmaster World is interesting, but probably unrelated.