Slashdot Mirror
Virus Writers Target Google's Sponsored Links
An anonymous reader writes "It looks like the bad guys are gaming Google's sponsored links to spread their junk to people who click on the ads with unpatched versions of Internet Explorer. Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes this was bound to happen, given the way Google structures sponsored links: "The bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.""
I really wish people would put even a bit of effort into using the term correctly.
Hell, this isn't even a Worm! It's just exploiting a browser bug to steal passwords.
Yawn.
Don't use Internet Explorer.
How we know is more important than what we know.
How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?
What's the procedure for selecting which particular ad a user will see? I imagine it's a little more complex than a completely random selection from one massive repository.
Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date? Or is this a case of some malicious organizations actually hacking Google code?
There's a datestamp on nearly everything and I'm sure someone has network activity records someplace.
the NPG electrode was replaced with carbon blac
right click on ad, copy link location, paste into a text editor
http://pagead2.googlesyndication.com/pagead/iclk?look for: adurl=http://whatever
Handy for finding ad urls when you don't want to click on them because they're on your own site because clicking on your own ads is against google's terms. Bit of a pain, but the information is in there if you want to dig it out.Loose lips lose spit.
Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.
Google is doing something bad here - disabling a browser security feature with JavaScript (why? - that was fashionable a decade ago...). Firefox users can install NoScript to prevent this kind of chicanery. I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.
(yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Google had this coming for a long time. I know it will make some people mad but that "thing" they call Adwords must immediately change. They pay users like Amazon for filtering or do some advanced Ajax tricks, it is their choice.
s e-really-fair/
:)
I am actually seeing spyware/grayware vendors advertising on Adwords and I am using Safari OSX, I am not at their target audience even. I can't imagine stuff actual target audience (IE users) get. These are the very same people who claims random rivals products "badware" just because poor thing tried to check for updates.
They recently banned site of Jim Mitchell, a well known/popular OS X support engineer/developers page claiming he is playing some games with their advertising platform, polite way of saying guy is thief. It turns out, there are spammers featuring copies of popular blogs making money from them.
http://jimmitchell.org/2007/03/08/is-google-adsen
I go nuts when my frequently used tiny usenet group is spammed by spammers using Google groups with Google Mail (verified,real) address, when I head to pirate site to report them, I notice their one and only income is? Google Ads!
So now actual Virus linked? Not big deal at all. Hope it would make them THINK and learn from a company thinking they can do anything and it won't harm them in 1990s.
One last thing, if you are on a secure platform, go check http://zlashdot.org/ , yes "Typosquatting", lowest form of online mafia. See the search bar on top? See the advertising provider? End of discussion
It's worse than that. The URL Google displays for the link is, of course, not the actual link; the actual link goes to Google so they can log the click-through. But the link to Google may in fact cause redirection to a completely different third-party domain, usually some ad broker who is doing arbitrage on the click-through.
Here's an example, obtained by searching Google for "mortgage rates". This is a direct Google result from Google's home page.
Note that field coded into the URL on the A tag: q="http://pixel-user-1042.everesttech.net". That's where Google is going to send you. Not to Lending Tree, but to EverestTech.net. Who's "Everesttech.net? An ad broker, or as they put it, "the leader in Search Engine Marketing".
This creates a new attack vector. The Google ad often shows the name of some well-known business, but actually takes you to some place you never heard of. That gives the third party an opportunity to try browser-based attacks.
This isn't just theoretical; it's in the wild. See this article on Webmaster World: " I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program."
It's not clear how to deal with this. The example above is from Google's main site, not "adwords.google.com".