Google Text Ads For Known Malware Sites

notthatwillsmith writes "We all know that Google purges known 'attack sites' — sites that deliver viruses, spyware, or other malware to visitors — from its index of searchable sites, but that doesn't stop the text ad giant from happily selling ads linking to those sites. One wouldn't think it would be any more difficult to cross-reference the list of purged sites with the list of advertisers than it was for the main search index, would it?" To be fair, the article says that Google shut down the ad when notified of it; and no other examples of linked malware are offered. Was this a one-time oversight?

Notify the end users

Surely it wouldn't be beyond the wit of man for Google to replace ads with warnings that the site on which the ad is being viewed is suspect?

Is there a demand for guides in the bad places?

[BenEnglishAtHome]

I wonder if there's a demand for a search engine that specializes in taking you to all the "bad places" on the 'net. What if a search engine indexed everything that others don't - hate sites, porn, spam markets, malware, everything - with the disclaimer that "You'd better not use us to get to any sites unless you've got a really hardened workstation and you're willing to assume all the risks"?

There have been times when I could have used such a thing; I'm wondering if the same is true for anyone else.

Re:Is there a demand for guides in the bad places?

[BenEnglishAtHome]

i have to wondwe why you might want one of those

Fair question.

In my day job I work for the Internal Revenue Service. Years ago, I helped prototype a "lead development" process looking for tax non-compliance in entities that promoted themselves online. (Nowadays, that's everybody but not back then.) We started out looking at porn, hate peddlers, and rogue CPAs who dispensed bad advice (whatever you wanted to hear) for hefty fees. The CPAs were easy to find but the porn and hate guys? Not so much. You'd be surprised how many wholesome Midwest couples supplement their income by making beast porn and not paying taxes on their receipts. And if you think any of the white supremacist groups or similar wack-jobs out there actually comply with tax laws, I would like to tell you different.

The problem was that when we tried to find these dodgy porn sellers and hatemongers, they were tough to find. A search engine that actually had useful results would have been a good thing.

In other matters, I can remember when cjb.net was filled with not just awful porn but also cracker sites containing useful nuggets of tech information. They were also infested with whatever malware was around. At that time (What was it? About 5-8 years ago?), Google did index them. But I can easily imagine a need to get to similar neighborhoods today and finding that search engines are reluctant to point you to their malware-laden pages.

It hasn't been my job to poke around in such places for a long time but I think it's obvious that there are legitimate reasons to do so.

i wasnt aware that google filtered out porn or hate-sites

Google doesn't filter much. I know that there are lots of sites that simply don't appear in their results but I have no idea whether Google purges those sites because of potentially illegal content or if the sites themselves are opting out of being crawled. But no matter the cause of non-appearances, there still don't seem to be any search engines I know of that do a good job of indexing the content they have for these types of sites.

For example, in the situation I described a couple of paragraphs ago we found that the hate sites were very hard to track until we realized that long before we got interested in them, there were other people (namely, their victims) who had a huge interest in cataloging them. The Anti Defamation League catalog of hate sites was a gold mine, an absolutely invaluable resource. They had compiled their catalog by talking to victims and dealing with the bad guys. Trying to compile the same sort of catalog from Google results would be very, very difficult. (To be fair, back when I was doing this I mostly used HotBot and NorthernLight; this isn't a Google-specific complaint.) We started from the ADL catalog and spidered out from there, essentially building our own search database. It would have need nice if someone else had already done the work for us.

Besides, what's wrong with occasionally proving Rule 34? :-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What Google should really be responsible for...

[causality]

Google should really be responsible for testing its own links and purging/fixing the latest scam, "referrer redirect" hijacks.

It's a form of attack wherein a hijacked website works correctly... as long as your Referrer string doesn't include certain key words ("Google", "Yahoo", "MSN", etc). The trick being, the website won't know they have been hacked because if they get a notice saying they have, then test their own homepage directly, it still works. If you have a referrer, you get redirected to a drive-by download page (for something like "Windows Antivirus 2009" or similar).

Why is this insidious? Because it gets around a lot of the "known registry", "anti-phishing" plugins.

Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

That's one thing I don't understand: If I can either refuse to send an HTTP Referrer header or forge it to always point to the site's index page (I use the Firefox RefControl extension but there are others that do the same), certainly Google can do this and avoid that entire set of problems. In fact I've yet to see a good argument for why there even is such a thing as a referrer header or what benefit it's supposed to provide. I can definitely see why advertisers like it, but from the point of view of a user it's useless or nearly useless; if I thought Webmasters needed to know the site I went to before I visited theirs, I would send them an e-mail to tell them.

Re:What Google should really be responsible for...

Google should really be responsible for testing its own links and purging/fixing the latest scam, "referrer redirect" hijacks.

It's a form of attack wherein a hijacked website works correctly... as long as your Referrer string doesn't include certain key words ("Google", "Yahoo", "MSN", etc). The trick being, the website won't know they have been hacked because if they get a notice saying they have, then test their own homepage directly, it still works. If you have a referrer, you get redirected to a drive-by download page (for something like "Windows Antivirus 2009" or similar).

Why is this insidious? Because it gets around a lot of the "known registry", "anti-phishing" plugins.

Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

Nice idea but impossible. I work in google adwords qualified company and we ourselves create thousands of google ads per day. And we aren't the largest company in the country by any means. And the country is smaller that most states of USA...

The amount of ads is mind boggling.

Google employees checking every single one periodically? That is impossible. Also, why not demand that Youtube employees would watch through every video?

Now... Did Google do something wrong? Perhaps. If they delivered ads to location they had already banned from search. And I know they do - As I have managed some MFA (made for adsense) sites that Google redeemed "Worthless ad sites that users don't want to get to" (and they were correct, sure. But Well, I needed money. It worked.). Buying users there through adwords keeps working even after the site gets +100 filter in organic results.

Re:But no one ever clicks on the ads

[ledow]

I helped put Google Ad's on a site my brother runs... http://www.scoutingresources.org.uk/

We get enough money from the ad's to host the site (which has some pretty hefty bandwidth needs at the moment but we have a very charitable host who does us lots of favours) and run a couple of camps for the Scouts every year. The clickthrough ratio is the same as my own sites, about 0.30%, but the number of visitors means it's actually profitable. Of course, we get that amount of visitors but being useful, prevelant, having lots of information, and being around for nearly 10 years helps - however we have never paid to advertise it, on-line or off. As far as I know, we've never had an article in any big Scouting magazines or anything. Just local stuff and general Googling. We don't sell anything, we don't take bribes, we don't like to anything that we review/use (advertisers/sponsors are *clearly* marked as such). So I guess it's just the number of eyes that determine click-through's, than anything else. I haven't seen the statistics in a while but I'm pretty sure we get a thousand visitors an hour or something stupid like that, for as far as you can trust web-based metrics.

Ad's get clicked on. In fact, the last few times we've been approached by camping specialists to sponsor the site, it's been for much less than the Google ad's bring in on their own.

Re:But no one ever clicks on the ads

[trongey]

Progman3K,
Your target demographic is people who want something for free. Do you really expect them to click on ads for for stuff that costs money?

Re:What Google should really be responsible for...

[zacronos]

Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

That's easier said than done. Here are some reasons:

• The page was almost certainly clean when the ad was set up.
• What if they use a database of known ip addresses (such as those available for free for PeerGuardian) to attempt to avoid attacking a Google ip address, rather than looking at the referrer?
• Many of the redirects are much more sophisticated today -- they don't do a server-side redirect request, they send some javascript to make the browser do a client-side redirect. That makes things difficult because now your spider must include a javascript interpreter.
• What if there's a 10-second delay before the redirect? If your spider leaves the site too soon, it'll never know. In contrast, many users would likely still be on the page after 10 seconds.
• What if the attack is only initiated as a result of some particular sort of user interaction, like a click on the page (similar to much of today's popup code)? How do you reliably test for all possible variations on that?
• How often do you test the links? Once a day? That'll take a lot of resources for someone as big as google. Once a week? On average that means a site will have 3-4 days in the wild before they even get checked, and that frequency still might take a lot of resources.
• What if, even after all that, the page only attempts to attack one out of every ten opportunities? Even if you check the link periodically, and are able to duplicate the circumstances necessary to trigger the attack, you may not catch the attempt until you've tested the page several times. At once a week checking each link, that would mean on average a month or more in the wild.

Google isn't entirely innocent

[lemur666]

A while back my credit card info was stolen and I first noticed it because of some suspicious charges.

What were the charges?

Google adwords. Several hundred dollars worth and all pointing to malware sites.

Clearly, the first for steps whomever stole my credit card info were to set up ads directing folks to sites that could potentially be used to infect more machines, steal more info, etc.

This was almost a year ago, so Google (at some level) has to know that this sort of thing is going on. And if it's still going on a year later, it must still be successful as a way to spread malware.

Not it's possible Google isn't doing anything about it because they think that if they start policing it, they may be exposed to more liability.