Google Deletes Rogue Ads, Dangers Persist

An anonymous reader writes passed us a link to a PC World article about attempts by Google to curb malicious ads via their popular service. The article is somewhat bleak, though, because researchers see the fix as nothing more than temporary. "'Search engines are just too easy a target for bad guys,' says Roger Thompson of Exploit Security Labs. On April 25, Exploit Prevention Labs reported that malware distributors were using advertisements placed via Google's automated AdWords system to infect unsuspecting end-users with spyware designed to capture bank login user names and passwords."

They are all vulnerable

[xintegerx]

About 6 months ago, a web site showed an AdBrite "please click up top to continue" full page ad. Except, this wasn't a picture, but an actual web page.

The ad itself looked like a blue, medical stock template with a nonsensical press release inside of it. It didn't look like an ad, but an unprofessional scam. Well, my antivirus went off either at that page, or when I clicked to investigate it. The home page itself consisted exactly of that same type of garbage.

So, Google Ads are dangerous because they take you to web sites of hundreds of thousands third party web sites nobody heard of before. AdBrite sticks those pages right into the ad so you can be infected even without clicking on anything; and because of that, you're screwed even if you have an ad-blocker software, because those ads are pulled straight from the advertiser's web sites.

Google has to require link = real destination

[Animats]

This vulnerability in AdWords exists because Google made them "reseller-friendly." That needs to stop.

When you click on a Google AdWords ad link, the link goes to Google, not to the destination site. Then Google's ad link server looks at the URL, logs the click, and does a redirect to the site specified by the advertiser. That isn't necessarily the destination shown in the Google ad. It's often some "ad broker" or "affiliate", which wants to see the click event for "tracking". That's what created the vulnerability. Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

Google does check, when the ad is purchased and occasionally thereafter, that the link sold with the ad eventually redirects to the purported destination, or what Google calls the "landing site". But that's not good enough any more. Attackers can create ads which attract innocent users, run them past the attacker's site where the attacker gets a shot at them, then direct them invisibly to the destination. That's how this attack works.

It's time to cut the middlemen out of the loop. Google ad links need to go directly to the destination site, only. "Ad brokers" and "affiliates" will have to use Google's own ad tracking numbers. This might require outside auditing to be trustworthy.

That would cause some disruption in the ad-broker / "search engine optimization" business, although they'd adjust to it. It's going to be interesting to see whether Google chooses to protect its search customers or its ad brokers. That will tell us whether Google has abandoned "Don't be evil".

A simple solution

[halcyon1234]

Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard. All they need are a few machines running XP and an unpatched copy of IE. Make an image of a working machine as a backup. Then, when a new Ad Sense ad is submitted, one of those machine visits the website. If it gets hit with malware, the ad is rejected, and the machine is re-imaged from the backup.

The philosophy is simple: Anyone who would take advantage of any sort of exploit to install software on an end user's machine is not peddling a legitimate product.

Of course, a semi-clever malware site admin can write a script that would deliver different content to a Google machine. But I am sure Google has enough disposable IPs and proxies that that won't be a problem. And even if it is, I'm sure they can just Google for a good IP spoofer. (Goofer?)

It's a trivial matter with an easily implemented solution.

So who's at fault?

[Itninja]

My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....

Re:So who's at fault?

$PROSECUTION: Your honour i visited the $DEFENDERS website i clicked on a link and i was infected by a trojan which stole my bank account details
$DEFENDER: that wasnt me it was a google advert that did it
$JUDGE: and who put the advert code on your website
$DEFENDER: I did your honour
$JUDGE: guilty as charged!, 3 years prison for fraud and theft by deception
$BANK: we would like now to issue precedings against $DEFENDER and $ADVERTISER for theft,fraud,conspiracy,wiretap laws, do you have a form we can fill out ?

Re:Google has to require link = real destination

Re-directs, while disconcerting, are not the main problem. These exploits often find their way into trusted sites too. The Super Bowl site was hacked with the ANI exploit right before the Super Bowl. Thousands of trusted sites are hacked today, and they're in Google/Yahoo/MSN's organic search results. The criminals hack into a site, insert a simple link into the HTML, and voila, a portion of every unsuspecting visitor's browser's session is re-directed to an exploit server. Also, even if Google eliminated re-directs, the advertisers themselves will want to add their own. Advertisers need to measure somehow. What Google needs to do is apply a technology fix. There's anti-exploit technology available from nearly every security vendor, including the company mentioned in the story who discovered this exploit. In fact, the exploit was discovered by one of their users who was alerted to the malicious hyperlink.

Firefox Affected?

[Mister+Transistor]

I even RTFA (!) and I couldn't determine whether or not Firefox is vulnerable or not. Based on things as usual, I'm assuming it isn't but I really cant tell!