Google Deletes Rogue Ads, Dangers Persist

An anonymous reader writes passed us a link to a PC World article about attempts by Google to curb malicious ads via their popular service. The article is somewhat bleak, though, because researchers see the fix as nothing more than temporary. "'Search engines are just too easy a target for bad guys,' says Roger Thompson of Exploit Security Labs. On April 25, Exploit Prevention Labs reported that malware distributors were using advertisements placed via Google's automated AdWords system to infect unsuspecting end-users with spyware designed to capture bank login user names and passwords."

Adwords has poor service.

[Scott+Lockwood]

I'm amazed at what you can, and cannot do with the service. Just today, I found that you cannot remove an old bank account from adwords. Amazing. Even Paypal gets that right.

They are all vulnerable

[xintegerx]

About 6 months ago, a web site showed an AdBrite "please click up top to continue" full page ad. Except, this wasn't a picture, but an actual web page.

The ad itself looked like a blue, medical stock template with a nonsensical press release inside of it. It didn't look like an ad, but an unprofessional scam. Well, my antivirus went off either at that page, or when I clicked to investigate it. The home page itself consisted exactly of that same type of garbage.

So, Google Ads are dangerous because they take you to web sites of hundreds of thousands third party web sites nobody heard of before. AdBrite sticks those pages right into the ad so you can be infected even without clicking on anything; and because of that, you're screwed even if you have an ad-blocker software, because those ads are pulled straight from the advertiser's web sites.

M$ Search is Worse.

[Erris]

Microsoft's search excels in spreading malware. How's that for cold water on this Google slam?

Google has to require link = real destination

[Animats]

This vulnerability in AdWords exists because Google made them "reseller-friendly." That needs to stop.

When you click on a Google AdWords ad link, the link goes to Google, not to the destination site. Then Google's ad link server looks at the URL, logs the click, and does a redirect to the site specified by the advertiser. That isn't necessarily the destination shown in the Google ad. It's often some "ad broker" or "affiliate", which wants to see the click event for "tracking". That's what created the vulnerability. Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

Google does check, when the ad is purchased and occasionally thereafter, that the link sold with the ad eventually redirects to the purported destination, or what Google calls the "landing site". But that's not good enough any more. Attackers can create ads which attract innocent users, run them past the attacker's site where the attacker gets a shot at them, then direct them invisibly to the destination. That's how this attack works.

It's time to cut the middlemen out of the loop. Google ad links need to go directly to the destination site, only. "Ad brokers" and "affiliates" will have to use Google's own ad tracking numbers. This might require outside auditing to be trustworthy.

That would cause some disruption in the ad-broker / "search engine optimization" business, although they'd adjust to it. It's going to be interesting to see whether Google chooses to protect its search customers or its ad brokers. That will tell us whether Google has abandoned "Don't be evil".

A simple solution

[halcyon1234]

Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard. All they need are a few machines running XP and an unpatched copy of IE. Make an image of a working machine as a backup. Then, when a new Ad Sense ad is submitted, one of those machine visits the website. If it gets hit with malware, the ad is rejected, and the machine is re-imaged from the backup.

The philosophy is simple: Anyone who would take advantage of any sort of exploit to install software on an end user's machine is not peddling a legitimate product.

Of course, a semi-clever malware site admin can write a script that would deliver different content to a Google machine. But I am sure Google has enough disposable IPs and proxies that that won't be a problem. And even if it is, I'm sure they can just Google for a good IP spoofer. (Goofer?)

It's a trivial matter with an easily implemented solution.

Re:A simple solution

[Solra+Bizna]

They can also change the content of the page after it's accepted, so Google would have to check every ad fairly often.

-:sigma.SB

So who's at fault?

[Itninja]

My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....

Re:Google has to require link = real destination

Re-directs, while disconcerting, are not the main problem. These exploits often find their way into trusted sites too. The Super Bowl site was hacked with the ANI exploit right before the Super Bowl. Thousands of trusted sites are hacked today, and they're in Google/Yahoo/MSN's organic search results. The criminals hack into a site, insert a simple link into the HTML, and voila, a portion of every unsuspecting visitor's browser's session is re-directed to an exploit server. Also, even if Google eliminated re-directs, the advertisers themselves will want to add their own. Advertisers need to measure somehow. What Google needs to do is apply a technology fix. There's anti-exploit technology available from nearly every security vendor, including the company mentioned in the story who discovered this exploit. In fact, the exploit was discovered by one of their users who was alerted to the malicious hyperlink.

This is not the root cause or solution.

[Erris]

From the fine article:

If someone clicked a booby-trapped sponsored link they were the ad would redirect their browser through URLs that attempted to automatically download a virus program (MSO6-014) onto their computers before passing them along to the actual sites that were advertised.

The problem is that so many people use a crappy browser that allows the attacks. Malicious people are going to put their stuff on the web and that's not Google's fault. To top it all off, Google is doing a better job fighting the problem than Microsoft's own search.

The further away you get from M$, the better off you are.

no it doesn't.

no it doesn't. I've deleted multiple bank and credit card numbers from my paypal account, and they have a way of magically re-appearing. It's freaky, and I really don't like it. I'm sure others have experienced this too...

Re:Google has to require link = real destination

[bitt3n]

Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

This is even more nefarious because many long-term BoA customers will simply assume the destination URL to be a rare example of corporate transparency.

Whole new meaning

[Myria]

I guess that this gives a whole new meaning to "I'm Feeling Lucky".

Slam and Advert

[Erris]

The Bungi Troll asks:

So reporting an issue is a "slam" now?

Yes, it's a slam if you only report half the issue. All of the search engines have this "problem" and M$ has it worse than others. The unmentioned root cause of the issue is a crappy browser and OS that's easy to exploit, yet somehow it's all Google's fault. That is a Google slam.

This is par for the course in the Wintel press world. The article ends up being an advertisement for Site Advisor, which is just another Windoze band-aid. The reporter who wrote this article needed to do some more research. Because they did not, they ended up slamming Google.

This just in

[aero6dof]

Researchers realize that everybody would be safest if we all just sat in the dark and shunned communication with anyone.