Google AdSense Click Fraud Made Possible By Uncloaking Advertisers' Sites

← Back to Stories (view on slashdot.org)

Google AdSense Click Fraud Made Possible By Uncloaking Advertisers' Sites

Posted by samzenpus on Monday September 28, 2015 @09:15AM from the protect-ya-neck dept.

An anonymous reader writes: A Spanish researcher claims to have uncovered a vulnerability in the security procedures of Google's AdSense program which would allow a third party to manipulate clicks on Google's syndicated ad service by 'de-cloaking' the obfuscated advertiser URLs that Google AdSense placements provide as links. He has also provided downloadable PHP files to show the exploit in action.

50 comments

Min score:

Reason:

Sort:

Java != javascript by agm · 2015-09-28 09:27 · Score: 4, Interesting

The document mentioned in the summary repeatedly uses the term "Java" when they mean "javascript". That's such a rookie mistake that it's difficult to take anything else they say seriously.
1. Re:Java != javascript by JustAnotherOldGuy · 2015-09-28 09:34 · Score: 2
  
  The document mentioned in the summary repeatedly uses the term "Java" when they mean "javascript". That's such a rookie mistake that it's difficult to take anything else they say seriously.
  Yeah, mixing up "java" and "javascript" is kind of a conversation-stopper as far as I'm concerned. It makes my Credibility-O-Meter drop into the negative numbers.
  What he's outlined may well be true, but damn, that's is the kind of mistake that makes you wince.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
2. Re:Java != javascript by Jack9 · 2015-09-28 09:35 · Score: 1
  
  I think Java is being used correctly (in the PDF/paper http://arxiv.org/pdf/1509.0774... ) and the article linked, does not confuse the terms.
  
  --
  
  Often wrong but never in doubt.
  I am Jack9.
  Everyone knows me.
3. Re:Java != javascript by Anonymous Coward · 2015-09-28 09:46 · Score: 2, Informative
  
  It's absolutely not. Look at Figure 1 of the PDF you linked. They show JavaScript code (that is clearly identified as such for someone who doesn't even know what it is), but call it Java code. They even go on to call JavaScript files Java files. These are two totally different things. I didn't bother reading any more, but I am sure this is consistently wrong throughout the paper.
4. Re:Java != javascript by Anonymous Coward · 2015-09-28 09:48 · Score: 2, Insightful
  
  Meh... half the people on this site still use the term "hacker" over "cracker."
5. Re:Java != javascript by Anonymous Coward · 2015-09-28 09:53 · Score: 0
  
  Umm, what are you reading? I see "Figure 1. Java code in Google AdSense" clearly showing javascript code, I see "The java file “show_ads.js”..." when ".js" is the extension for javascript, and so on. Pretty clear errors.
6. Re:Java != javascript by Xenx · 2015-09-28 10:13 · Score: 2
  
  that's is the kind of mistake that makes you wince.
  I don't know if I should laugh or wince at that mistake.
7. Re:Java != javascript by Anonymous Coward · 2015-09-28 10:33 · Score: 0
  
  Back to your basement, grandad. Nobody uses "cracker" in that sense anymore, get over it.
8. Re:Java != javascript by Anonymous Coward · 2015-09-28 10:40 · Score: 0
  
  It's Ecmascript you pedantic clod!
9. Re:Java != javascript by phantomfive · 2015-09-28 10:51 · Score: 1
  
  Nobody uses "cracker" in that sense anymore, get over it.
  Yeah, kind of a weird thing, right?
  We have hack-a-day, hacker-space, life-hacker, all kinds of things where the MIT meaning of the word "hacker" has entered into the mainstream.
  And yet the word "hacker" as a malicious attacker is also perfectly viable in mainstream.
  
  Thus we have a word that is both extremely negative and fairly positive, and yet collisions are rare. People always seem to be able to figure out what is meant.
  
  --
  "First they came for the slanderers and i said nothing."
10. Re:Java != javascript by Anonymous Coward · 2015-09-28 11:54 · Score: 0
  
  Actually, they switch back and forth with the usage changing depending on the section and page. That confuses me even more as there is only one author listed. This means there are either uncredited authors or he didn't care to check for technical mistakes after translating or proofing.
11. Re:Java != javascript by Bing+Tsher+E · 2015-09-28 14:56 · Score: 1
  
  Well, 'people on the inside' easily figure out what is meant. The regular folks just back slowly out of the room. That's appealing for people 'on the inside' who want to remain an elite.
12. Re:Java != javascript by kelemvor4 · 2015-09-28 15:02 · Score: 1
  
  I think Java is being used correctly (in the PDF/paper http://arxiv.org/pdf/1509.0774... ) and the article linked, does not confuse the terms.
  You're mistaken. They include the source. It's definitely javascript despite the article referencing it as a "Google Java Applet". Maybe he wrote the article in Yahoo Go on his Microsoft iPad.
13. Re:Java != javascript by Jack9 · 2015-09-28 16:05 · Score: 1
  
  I am mistaken. Apologies.
  
  --
  
  Often wrong but never in doubt.
  I am Jack9.
  Everyone knows me.
14. Re:Java != javascript by hairyfeet · 2015-09-28 19:24 · Score: 1
  
  Uhhh the guy IS Spanish, isn't it possible its simply a translation error or due to the fact English isn't his native tongue?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
15. Re:Java != javascript by Fnord666 · 2015-09-28 23:44 · Score: 1
  
  I think Java is being used correctly (in the PDF/paper
  Maybe this brief quote will clear things up:
  
  The java file "show_ads.js" embeds the ads in the target website HTML code once it has been completely loaded in the browser.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
oh no by Anonymous Coward · 2015-09-28 09:29 · Score: 1

OH NO! NOT... PHP FILES?!?!?! What will we do?!?!?! Gaah, php files.....
1. Re:oh no by rudy_wayne · 2015-09-28 13:14 · Score: 1
  
  Except the link that says "downloadable PHP files" takes you to a PDF.
2. Re:oh no by Fnord666 · 2015-09-28 14:29 · Score: 1
  
  Except the link that says "downloadable PHP files" takes you to a PDF.
  Here is a link to the source code mentioned.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Unbelievable by JustAnotherOldGuy · 2015-09-28 09:31 · Score: 1

There are ways to defraud The Google? That's unpossible!

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Unbelievable by Drakona4 · 2015-09-28 09:52 · Score: 1
  
  Sarcasm?
2. Re:Unbelievable by JustAnotherOldGuy · 2015-09-28 09:55 · Score: 1
  
  Sarcasm?
  Heaven forbid, lol.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Jumping on the PHP hating bandwagon real quick... by Anonymous Coward · 2015-09-28 10:40 · Score: 0

"I can't think of a more appropriate language to demonstrate an exploit or vulnerability than PHP."
Re:Advertisers defraud users #1/2 by Anonymous Coward · 2015-09-28 13:19 · Score: 0

ads not only INFECT US, but STEAL BANDWIDTH & SPEED WE PAY FOR MONTHLY+ track us too
No kidding. This is why I use the uBlock and Ghostery browser extensions for Firefox. They block ads from known advertising servers, including straight IP addresses which a hosts file cannot do. Plus they block ads from unknown advertising servers by using regular expression pattern matching on URLs and DOM element names, both things that a hosts file cannot do.
Security Through Obscurity by Fnord666 · 2015-09-28 23:59 · Score: 1

This is just another example of how security through obscurity will never work. At the end of the day the client browser ends up with a URL for the user to click on to view the ad. No amount of obfuscation or iframe shell games can change this fact. Game over.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Advertisers defraud users #1/2 by Anonymous Coward · 2015-09-29 00:07 · Score: 0

Here's a SMALL partial only sample of OpenBid/realtime bidding & other ad networks malware makers have taken advantage of to infect you with:
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.wired.com/techbiz/m...
http://news.cnet.com/8301-1023...
http://www.itworld.com/securit...
http://nakedsecurity.sophos.co...
http://www.zdnet.com/ad-exec-o...
http://search.slashdot.org/sto...
http://nakedsecurity.sophos.co...
http://www.securityweek.com/ea...
http://yro.slashdot.org/story/...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
* REPOSTING A 3rd time VS. ABUSED DOWNMODS ON THIS SAME POST here http://tech.slashdot.org/comme... AND here http://tech.slashdot.org/comme...
APK
P.S.=> See subject & those links (+ ads not only INFECT US, but STEAL BANDWIDTH & SPEED WE PAY FOR MONTHLY+ track us too)
... apk
Advertisers defraud users #2/2 by Anonymous Coward · 2015-09-29 00:11 · Score: 0

Here's yet another SMALL partial only sample of OpenBid/realtime bidding & other ad networks malware makers have taken advantage of to infect you with:
http://it.slashdot.org/story/1...
http://it.slashdot.org/story/1...
http://www.theregister.co.uk/2...
http://it.slashdot.org/story/0...
http://it.slashdot.org/story/0...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
* REPOSTING A 3rd time VS. ABUSED DOWNMODS ON THIS SAME POST here http://tech.slashdot.org/comme... AND here http://tech.slashdot.org/comme...
APK
P.S.=> See subject & those links (+ ads not only INFECT US, but STEAL BANDWIDTH & SPEED WE PAY FOR MONTHLY+ track us too)
... apk
That's the MAIN reason I built this by Anonymous Coward · 2015-09-29 00:18 · Score: 0

See subject & APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community - using something you already have vs. "bolting on browser addons 'MOAR' that's usermode slower & increases messagepassing, cpu + ram overuse overheads & actually SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed), whereas by way of comparison, other "so-called security 'solutions'" SLOW YOU DOWN!
* :)
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
---
"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
PERTINENT QUOTE/EXCERPT:
"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!
(Accept NO substitutes!)
...apk
That's the MAIN reason I built this by Anonymous Coward · 2015-09-29 00:20 · Score: 0

See subject & APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community - using something you already have vs. "bolting on browser addons 'MOAR' that's usermode slower & increases messagepassing, cpu + ram overuse overheads & actually SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed), whereas by way of comparison, other "so-called security 'solutions'" SLOW YOU DOWN!
* :)
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
---
"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
PERTINENT QUOTE/EXCERPT:
"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!
(Accept NO substitutes!)
...apk
UBlock & Ghostery don't do as much by Anonymous Coward · 2015-09-29 00:26 · Score: 0

See subject: & they use more resources + are slower (usermode vs. hosts in kernelmode + regular expressions engines ARE SLOW w/ massive overheads too...).
Firewalls do IP addresses!
So I supplement hosts that way merely USING WHAT I ALREADY HAVE NATIVELY BUILT-IN vs. "bolting on 'MoAr'" & especially a MASSIVELY INFERIOR more in browser addons...
* :)
(In fact, next? I'll post what I always do regarding BOTH of them that lists EXACTLY how much more hosts do vs. them both & any other bullshit browser addon (sold-out to advertisers no less)).
APK
P.S.=> REPOSTING vs. ABUSED DOWNMODS on this same post here http://tech.slashdot.org/comme...
... apk
Ublock = inferior & inefficient vs. hosts by Anonymous Coward · 2015-09-29 00:28 · Score: 0

Can ublock do 16 things hosts do for speed, security, & reliability:
1.) Protect vs. malicious sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C communique
3.) Protect vs. dyndns botnets + stop C&C communique
4.) Protect vs. DGA botnets + stop C&C communique
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. redirect poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phishing
10.) Protect vs. caps
11.) Get you by dns blocking
12.) Keep you off dns request logs
13.) Speed up surfing by adblocks & hardcoded favs
14.) Work on anything webbound (ie email programs) multiplatform.
15.) Give you easily controlled data
16.) Do those & block ads better than addons more efficiently in cpu + memory use
* ANSWER ="NO" to each on UBlock doing it as well or @ all!
APK
P.S.=> UBlock does less than hosts & less efficiently - hosts do MORE w/ less + Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried):
Ublock's NOT as efficient:
Hosts @ 3mb-11mb w/ current data vs. threats + ads - test yourself using my program.
UBlock uses 63++ MB -> http://www.ghacks.net/2014/06/...
SCREENSHOT -> http://cdn.ghacks.net/wp-conte...
+
ClarityRay defeats it detecting it by dumping addons in use in a browser via native browser methods to do so!
+
UBlock adds complexity/room for breakdown/exploit + from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).
What's better?
APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Ghostery = 'souled-out' & inferior vs. hosts by Anonymous Coward · 2015-09-29 00:30 · Score: 0

Can ghostery do 16 things hosts do for speed, security, & reliability:
1.) Protect vs. malicious sites (past ads)
2.) Protect vs. fastflux botnets + stop communique to C&C servers
3.) Protect vs. dynamic dns botnets + stop communique to C&C servers
4.) Protect vs. DGA botnets + stop communique to C&C servers
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS redirect poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phishing
10.) Protect vs. bandwidth caps
11.) Get you by a dns blocking
12.) Keep you off dns request logs
13.) Speed up surfing by adblocks & hardcoded fav. sites
14.) Work on anything webbound (e.g. stand-alone email programs) multiplatform.
15.) Give you easily controlled data
16.) Block ads more efficiently in cpu + memory use vs. addons
* ANSWER ="NO" to each on Ghostery doing all that let alone as well as hosts do!
APK
P.S.=> Addons do FAR less than hosts do & FAR less efficiently - hosts by way of comparison, do MORE w/ less + Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried):
Ghostery (Advertiser owned) - "Fox guards henhouse" -> http://en.wikipedia.org/wiki/G...
Addons add complexity/room for breakdown/exploit + from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).
ClarityRay DETECTS browser addons like Ghostery & blocks them (not hosts) via native browser methods.
What's better than ghostery by FAR?
APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...
&
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Re:Advertisers defraud users #2/2 by Anonymous Coward · 2015-09-29 00:33 · Score: 0

Apk, advertisers n' webmasters are scared shitless of you so they minusmod your posts trying to hide them but they're so damn dumb they don't realize most here browse below the default -1 moderation threshold and we see them anyway.
Re:Advertisers defraud users #1/2 by Anonymous Coward · 2015-09-29 00:34 · Score: 0

Apk, advertisers n' webmasters are scared shitless of you so they minusmod your posts trying to hide them but they're so damn dumb they don't realize most here browse below the default -1 moderation threshold and we see them anyway!
Re:UBlock & Ghostery don't do as much by thoromyr · 2015-09-29 03:58 · Score: 1

dang. its a shame I don't have mod points. My rule is always to find posts to mod up, never mod down. But this drivel should be modded down.
go apk! fight the power! you are not alone! (well, yes, you are very very alone in that basement)
I show facts from reputable sources by Anonymous Coward · 2015-10-03 17:23 · Score: 0

See subject: I help everyone. I do so with truth. I don't live in a basement. You project you do.
* You don't merit modpoints so you get none.
APK
P.S.=> Either validly technically prove my points on hosts giving users more security, speed, reliability & even anonymity online, doing FAR more than ANY *SINGLE* browser addon there is, yet doing so for MUCH LESS in resources consumed @ the same time...
OR?
Go away - You're wasting everyone's time, including your own, trolling... apk