Google Text Ads For Known Malware Sites

notthatwillsmith writes "We all know that Google purges known 'attack sites' — sites that deliver viruses, spyware, or other malware to visitors — from its index of searchable sites, but that doesn't stop the text ad giant from happily selling ads linking to those sites. One wouldn't think it would be any more difficult to cross-reference the list of purged sites with the list of advertisers than it was for the main search index, would it?" To be fair, the article says that Google shut down the ad when notified of it; and no other examples of linked malware are offered. Was this a one-time oversight?

Is there a demand for guides in the bad places?

[BenEnglishAtHome]

I wonder if there's a demand for a search engine that specializes in taking you to all the "bad places" on the 'net. What if a search engine indexed everything that others don't - hate sites, porn, spam markets, malware, everything - with the disclaimer that "You'd better not use us to get to any sites unless you've got a really hardened workstation and you're willing to assume all the risks"?

There have been times when I could have used such a thing; I'm wondering if the same is true for anyone else.

Re:Is there a demand for guides in the bad places?

[BenEnglishAtHome]

i have to wondwe why you might want one of those

Fair question.

In my day job I work for the Internal Revenue Service. Years ago, I helped prototype a "lead development" process looking for tax non-compliance in entities that promoted themselves online. (Nowadays, that's everybody but not back then.) We started out looking at porn, hate peddlers, and rogue CPAs who dispensed bad advice (whatever you wanted to hear) for hefty fees. The CPAs were easy to find but the porn and hate guys? Not so much. You'd be surprised how many wholesome Midwest couples supplement their income by making beast porn and not paying taxes on their receipts. And if you think any of the white supremacist groups or similar wack-jobs out there actually comply with tax laws, I would like to tell you different.

The problem was that when we tried to find these dodgy porn sellers and hatemongers, they were tough to find. A search engine that actually had useful results would have been a good thing.

In other matters, I can remember when cjb.net was filled with not just awful porn but also cracker sites containing useful nuggets of tech information. They were also infested with whatever malware was around. At that time (What was it? About 5-8 years ago?), Google did index them. But I can easily imagine a need to get to similar neighborhoods today and finding that search engines are reluctant to point you to their malware-laden pages.

It hasn't been my job to poke around in such places for a long time but I think it's obvious that there are legitimate reasons to do so.

i wasnt aware that google filtered out porn or hate-sites

Google doesn't filter much. I know that there are lots of sites that simply don't appear in their results but I have no idea whether Google purges those sites because of potentially illegal content or if the sites themselves are opting out of being crawled. But no matter the cause of non-appearances, there still don't seem to be any search engines I know of that do a good job of indexing the content they have for these types of sites.

For example, in the situation I described a couple of paragraphs ago we found that the hate sites were very hard to track until we realized that long before we got interested in them, there were other people (namely, their victims) who had a huge interest in cataloging them. The Anti Defamation League catalog of hate sites was a gold mine, an absolutely invaluable resource. They had compiled their catalog by talking to victims and dealing with the bad guys. Trying to compile the same sort of catalog from Google results would be very, very difficult. (To be fair, back when I was doing this I mostly used HotBot and NorthernLight; this isn't a Google-specific complaint.) We started from the ADL catalog and spidered out from there, essentially building our own search database. It would have need nice if someone else had already done the work for us.

Besides, what's wrong with occasionally proving Rule 34? :-)

Re:What Google should really be responsible for...

Google should really be responsible for testing its own links and purging/fixing the latest scam, "referrer redirect" hijacks.

It's a form of attack wherein a hijacked website works correctly... as long as your Referrer string doesn't include certain key words ("Google", "Yahoo", "MSN", etc). The trick being, the website won't know they have been hacked because if they get a notice saying they have, then test their own homepage directly, it still works. If you have a referrer, you get redirected to a drive-by download page (for something like "Windows Antivirus 2009" or similar).

Why is this insidious? Because it gets around a lot of the "known registry", "anti-phishing" plugins.

Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

Nice idea but impossible. I work in google adwords qualified company and we ourselves create thousands of google ads per day. And we aren't the largest company in the country by any means. And the country is smaller that most states of USA...

The amount of ads is mind boggling.

Google employees checking every single one periodically? That is impossible. Also, why not demand that Youtube employees would watch through every video?

Now... Did Google do something wrong? Perhaps. If they delivered ads to location they had already banned from search. And I know they do - As I have managed some MFA (made for adsense) sites that Google redeemed "Worthless ad sites that users don't want to get to" (and they were correct, sure. But Well, I needed money. It worked.). Buying users there through adwords keeps working even after the site gets +100 filter in organic results.

Re:What Google should really be responsible for...

[zacronos]

Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

That's easier said than done. Here are some reasons:

• The page was almost certainly clean when the ad was set up.
• What if they use a database of known ip addresses (such as those available for free for PeerGuardian) to attempt to avoid attacking a Google ip address, rather than looking at the referrer?
• Many of the redirects are much more sophisticated today -- they don't do a server-side redirect request, they send some javascript to make the browser do a client-side redirect. That makes things difficult because now your spider must include a javascript interpreter.
• What if there's a 10-second delay before the redirect? If your spider leaves the site too soon, it'll never know. In contrast, many users would likely still be on the page after 10 seconds.
• What if the attack is only initiated as a result of some particular sort of user interaction, like a click on the page (similar to much of today's popup code)? How do you reliably test for all possible variations on that?
• How often do you test the links? Once a day? That'll take a lot of resources for someone as big as google. Once a week? On average that means a site will have 3-4 days in the wild before they even get checked, and that frequency still might take a lot of resources.
• What if, even after all that, the page only attempts to attack one out of every ten opportunities? Even if you check the link periodically, and are able to duplicate the circumstances necessary to trigger the attack, you may not catch the attempt until you've tested the page several times. At once a week checking each link, that would mean on average a month or more in the wild.