Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Text Ads For Known Malware Sites

Posted by kdawson on from the not-evil-no-sir dept.

notthatwillsmith writes "We all know that Google purges known 'attack sites' — sites that deliver viruses, spyware, or other malware to visitors — from its index of searchable sites, but that doesn't stop the text ad giant from happily selling ads linking to those sites. One wouldn't think it would be any more difficult to cross-reference the list of purged sites with the list of advertisers than it was for the main search index, would it?" To be fair, the article says that Google shut down the ad when notified of it; and no other examples of linked malware are offered. Was this a one-time oversight?

8 of 110 comments (clear)

  1. Is there a demand for guides in the bad places? by BenEnglishAtHome · · Score: 4, Interesting

    I wonder if there's a demand for a search engine that specializes in taking you to all the "bad places" on the 'net. What if a search engine indexed everything that others don't - hate sites, porn, spam markets, malware, everything - with the disclaimer that "You'd better not use us to get to any sites unless you've got a really hardened workstation and you're willing to assume all the risks"?

    There have been times when I could have used such a thing; I'm wondering if the same is true for anyone else.

  2. give 'em a break by v1 · · Score: 4, Insightful

    To be fair, the article says that Google shut down the ad when notified of it; and no other examples of linked malware are offered. Was this a one-time oversight?

    Given the amount of business Google gets, how can you possibly consider one instance anything but an oversight?

    This is NOT "stuff that matters"

    News flash! Local traffic cop overlooks jaywalker. Corruption, or honest mistake, you decide!

    --
    I work for the Department of Redundancy Department.
    1. Re:give 'em a break by Joce640k · · Score: 4, Insightful

      You can't expect them to check every single link on every single page in real time.

      I could easily set up a page that waits for a visit from the google page-checker then modifies itself to contain bad stuff. That would give me a window of attack.

      --
      No sig today...
    2. Re:give 'em a break by jorghis · · Score: 4, Insightful

      You guys are missing the point. Its not a matter of humans checking each link and making an oversight. Its a matter of Google accepting ads from sites that its magical filtering system knows for a fact are spam sites/link farms/malware etc. If they didnt accept ads from sites that their database knows to be not so great websites then there wouldnt be any oversight. Computers dont make oversights so the only way this could have happened is if Google decided to apply a different standard for filtering their advertisers than they do to regular webpages.

  3. Re:Notify the end users by larry+bagina · · Score: 5, Insightful

    That might viloate the google/website contract. Howewver, that's not the issue here. Google is running ads with links to malware sites, not ads on the malware sites (though they probably do that too).

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  4. Re:Responsibility by Sir_Dill · · Score: 5, Insightful
    If you bothered to RTFA you would have found out that the authors were only able to cite one example for which Google "ponied up" by removing the offending ad as soon as they were notified. Hell if you bothered to read the summary you would have seen that.

    That doesn't sound like a blind eye.

    Quit trolling

    Furthermore its a fine line between due diligence and big brother. Especially in in today's internet climate. I am not surprised that the group doing the adwords doesn't know enough about the group doing the filtering to be able to filter automatically. Its very easy to say Google should know what Google is doing but we all know that interdepartmental communications in large companies sometimes don't work all that well.

    It would be interesting if the bloggers that posted this "poke the big guy piece" had more than just this one incident. It would also be interesting to know how many other sites have been removed. If this was the first and they are now going to be crosschecking, then it shouldn't happen again.

  5. What Google should really be responsible for... by Moryath · · Score: 5, Informative

    Google should really be responsible for testing its own links and purging/fixing the latest scam, "referrer redirect" hijacks.

    It's a form of attack wherein a hijacked website works correctly... as long as your Referrer string doesn't include certain key words ("Google", "Yahoo", "MSN", etc). The trick being, the website won't know they have been hacked because if they get a notice saying they have, then test their own homepage directly, it still works. If you have a referrer, you get redirected to a drive-by download page (for something like "Windows Antivirus 2009" or similar).

    Why is this insidious? Because it gets around a lot of the "known registry", "anti-phishing" plugins.

    Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

    1. Re:What Google should really be responsible for... by zacronos · · Score: 4, Interesting

      Google served up the link; they should have a responsibility to do a periodic check that the links they serve aren't going to a bad place, and inform the victim if they've been referrer-redirect hijacked.

      That's easier said than done. Here are some reasons:

      • The page was almost certainly clean when the ad was set up.
      • What if they use a database of known ip addresses (such as those available for free for PeerGuardian) to attempt to avoid attacking a Google ip address, rather than looking at the referrer?
      • Many of the redirects are much more sophisticated today -- they don't do a server-side redirect request, they send some javascript to make the browser do a client-side redirect. That makes things difficult because now your spider must include a javascript interpreter.
      • What if there's a 10-second delay before the redirect? If your spider leaves the site too soon, it'll never know. In contrast, many users would likely still be on the page after 10 seconds.
      • What if the attack is only initiated as a result of some particular sort of user interaction, like a click on the page (similar to much of today's popup code)? How do you reliably test for all possible variations on that?
      • How often do you test the links? Once a day? That'll take a lot of resources for someone as big as google. Once a week? On average that means a site will have 3-4 days in the wild before they even get checked, and that frequency still might take a lot of resources.
      • What if, even after all that, the page only attempts to attack one out of every ten opportunities? Even if you check the link periodically, and are able to duplicate the circumstances necessary to trigger the attack, you may not catch the attempt until you've tested the page several times. At once a week checking each link, that would mean on average a month or more in the wild.