Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Deletes Rogue Ads, Dangers Persist

Posted by Zonk on from the out-out-rogue-ads dept.

An anonymous reader writes passed us a link to a PC World article about attempts by Google to curb malicious ads via their popular service. The article is somewhat bleak, though, because researchers see the fix as nothing more than temporary. "'Search engines are just too easy a target for bad guys,' says Roger Thompson of Exploit Security Labs. On April 25, Exploit Prevention Labs reported that malware distributors were using advertisements placed via Google's automated AdWords system to infect unsuspecting end-users with spyware designed to capture bank login user names and passwords."

8 of 63 comments (clear)

  1. Adwords has poor service. by Scott+Lockwood · · Score: 4, Informative

    I'm amazed at what you can, and cannot do with the service. Just today, I found that you cannot remove an old bank account from adwords. Amazing. Even Paypal gets that right.

    --
    But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
  2. Google has to require link = real destination by Animats · · Score: 4, Interesting

    This vulnerability in AdWords exists because Google made them "reseller-friendly." That needs to stop.

    When you click on a Google AdWords ad link, the link goes to Google, not to the destination site. Then Google's ad link server looks at the URL, logs the click, and does a redirect to the site specified by the advertiser. That isn't necessarily the destination shown in the Google ad. It's often some "ad broker" or "affiliate", which wants to see the click event for "tracking". That's what created the vulnerability. Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

    Google does check, when the ad is purchased and occasionally thereafter, that the link sold with the ad eventually redirects to the purported destination, or what Google calls the "landing site". But that's not good enough any more. Attackers can create ads which attract innocent users, run them past the attacker's site where the attacker gets a shot at them, then direct them invisibly to the destination. That's how this attack works.

    It's time to cut the middlemen out of the loop. Google ad links need to go directly to the destination site, only. "Ad brokers" and "affiliates" will have to use Google's own ad tracking numbers. This might require outside auditing to be trustworthy.

    That would cause some disruption in the ad-broker / "search engine optimization" business, although they'd adjust to it. It's going to be interesting to see whether Google chooses to protect its search customers or its ad brokers. That will tell us whether Google has abandoned "Don't be evil".

  3. A simple solution by halcyon1234 · · Score: 4, Interesting
    Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard. All they need are a few machines running XP and an unpatched copy of IE. Make an image of a working machine as a backup. Then, when a new Ad Sense ad is submitted, one of those machine visits the website. If it gets hit with malware, the ad is rejected, and the machine is re-imaged from the backup.

    The philosophy is simple: Anyone who would take advantage of any sort of exploit to install software on an end user's machine is not peddling a legitimate product.

    Of course, a semi-clever malware site admin can write a script that would deliver different content to a Google machine. But I am sure Google has enough disposable IPs and proxies that that won't be a problem. And even if it is, I'm sure they can just Google for a good IP spoofer. (Goofer?)

    It's a trivial matter with an easily implemented solution.

    --
    UTF-8: There and Back Again
    1. Re:A simple solution by Solra+Bizna · · Score: 3, Insightful

      They can also change the content of the page after it's accepted, so Google would have to check every ad fairly often.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
  4. So who's at fault? by Itninja · · Score: 4, Interesting

    My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  5. no it doesn't. by Anonymous Coward · · Score: 3, Informative

    no it doesn't. I've deleted multiple bank and credit card numbers from my paypal account, and they have a way of magically re-appearing. It's freaky, and I really don't like it. I'm sure others have experienced this too...

  6. Re:Google has to require link = real destination by bitt3n · · Score: 4, Funny

    Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".
    This is even more nefarious because many long-term BoA customers will simply assume the destination URL to be a rare example of corporate transparency.
    --
    how many pairs of boxer shorts should you own?
  7. Slam and Advert by Erris · · Score: 3, Insightful

    The Bungi Troll asks:

    So reporting an issue is a "slam" now?

    Yes, it's a slam if you only report half the issue. All of the search engines have this "problem" and M$ has it worse than others. The unmentioned root cause of the issue is a crappy browser and OS that's easy to exploit, yet somehow it's all Google's fault. That is a Google slam.

    This is par for the course in the Wintel press world. The article ends up being an advertisement for Site Advisor, which is just another Windoze band-aid. The reporter who wrote this article needed to do some more research. Because they did not, they ended up slamming Google.

    --
    DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.