Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Virus Writers Target Google's Sponsored Links

Posted by samzenpus on Wed Apr 25, 2007 06:36 PM
from the snake-in-the-grass dept.
Security Businesses Google The Internet
An anonymous reader writes "It looks like the bad guys are gaming Google's sponsored links to spread their junk to people who click on the ads with unpatched versions of Internet Explorer. Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes this was bound to happen, given the way Google structures sponsored links: "The bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.""
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Virus Writers Target Google's Sponsored Links 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • That's what you get for using IE.

  • In No Way Is This A Virus (Score:5, Informative)

    by QuantumG (50515) <qg@biodome.org> on Wednesday April 25 2007, @06:43PM (#18878363) Homepage Journal
    I really wish people would put even a bit of effort into using the term correctly.

    Hell, this isn't even a Worm! It's just exploiting a browser bug to steal passwords.

    Yawn.

    Don't use Internet Explorer.

  • Screen? (Score:5, Interesting)

    by HomelessInLaJolla (1026842) * <lajollahomeless@hotmail.com> on Wednesday April 25 2007, @06:43PM (#18878369) Journal
    How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?

    What's the procedure for selecting which particular ad a user will see? I imagine it's a little more complex than a completely random selection from one massive repository.

    Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date? Or is this a case of some malicious organizations actually hacking Google code?

    There's a datestamp on nearly everything and I'm sure someone has network activity records someplace.

    • Re: (Score:3, Informative)

      by CannonballHead (842625)

      How are the google ad links created? Is there someone circulating a suite of templates or do companies which buy the ads simply provide a URL with which to link to?

      In my experience with AdWords, there are four lines of text to fill, and one URL. The first one is the "title" and is linked to a url you provide. The next two lines are just text. The last line is supposed to be part of the url, or something related to it in some way... but you can have "hello.org" displayed but actually link to "hello.org/

    • You're missing the point... it's just a link to another site that someone has paid to have appear in google's search results for certain terms. Google simply needs a more robust system of checking the validity of ad links.

    • Re: (Score:3, Interesting)

      by lintux (125434)
      > Isn't there a way for Google to virus scan the ads before they're added to the potential pool and, if so, shouldn't there be a way for punishing advertisers who swap out a clean ad with a virus/malware laden one at a later date?

      Definitely. But the problem here is that the malicious person can change the contents of the website any time he/she wants. When placing the ad, put something normal there. Once the ad is live, put your malware there. After a few hours the ad will probably be dead ... but I'm af
    • I guess this gives a whole new meaning to "I'm Feeling Lucky".

  • Who bought the ads? (Score:4, Insightful)

    by AlHunt (982887) on Wednesday April 25 2007, @06:45PM (#18878391) Homepage Journal
    Wouldn't it be easy for Google to track the virus writers by who paid for the search terms?

    • Re: (Score:3, Interesting)

      by Strange Ranger (454494)
      Well...

      1st - it's not a virus, it's a browser exploit.

      2nd - what's the point of tracking somebody down in Nigeria or Kazakhstan?

      and more importantly

      3rd - One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions.
      At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick.

      • One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions.
        At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick.

        Why would google need to police their sponsored links? The worst that could be done to an unwilling mark is to pop up goatse, but that wouldn't make them much money.

        If you choose to use a known insecure browser, the results are entirely your responsibility. You may as well be chastising the highway patrol for not checking everyone's break lines.

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        "3. One would expect Google to police their sponsored links a tad bit better than slashdot polices their article submissions. At least have a prominent easy-to-use Bad Guy reporting tool. The first thing that comes to mind - a little link like the cached link under each sponsored add might do the trick."

        I noticed the other day that one of my search results included a note about a particular link being potentially "unsafe" -- presumably because there were signs that the content at the other end contained ex
    • In all likelihood they're being paid for with stolen credit cards. You'd do just as well to track down whoever is hosting the site, but then, the site is likely hacked and/or paid for with a stolen credit card.

      I'd love to believe that the FBI is out there tracking down anybody dumb enough to pay for these with their own money, or at least tying this crime to somebody whom they catch in possession of the stolen credit cards. I'm also pretty sure that the reason my boss wants to talk to me privately in his

    • Thats a great idea (Score:4, Funny)

      by patio11 (857072) on Wednesday April 25 2007, @08:07PM (#18879255)
      They should send a SWAT team to bust down the door of a guy who steals identities for a living. No POSSIBLE downside there.

  • copy link location, paste into text editor (Score:5, Informative)

    by fyoder (857358) on Wednesday April 25 2007, @06:46PM (#18878399) Homepage Journal

    right click on ad, copy link location, paste into a text editor

    http://pagead2.googlesyndication.com/pagead/iclk?s a=l&ai=BW4xM7-YvRqmJJaLImQTP6dXxApyVrB3A-Je9AsCNtw Gw4y0QAhgCILv-mQYoAjAAOABQ7aSR7P7_____AWD9mPuAzAOY AdO60RCyASJvZmludGVyZXN0LmJpbmFyeS1lbnZpcm9ubWVudH MuY29tugEJNDY4eDYwX2FzyAEB2gEqaHR0cDovL29maW50ZXJl c3QuYmluYXJ5LWVudmlyb25tZW50cy5jb20vqQKZ6jUcO-etPs gCnM3vAagDAcgDBw&num=2&ggladgrp=326118280&gglcreat =574052020&adurl=http://www.apple.com/ca/getamac/a ds/index.html%3Fcid%3DWWW-AMCA-GETAMACK060307-GROB 1&client=ca-pub-0841007318749811&nm=4

    look for: adurl=http://whatever

    Handy for finding ad urls when you don't want to click on them because they're on your own site because clicking on your own ads is against google's terms. Bit of a pain, but the information is in there if you want to dig it out.

  • NoScript helps (Score:5, Insightful)

    by bill_mcgonigle (4333) * on Wednesday April 25 2007, @06:52PM (#18878469) Homepage Journal
    Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.

    Google is doing something bad here - disabling a browser security feature with JavaScript (why? - that was fashionable a decade ago...). Firefox users can install NoScript [noscript.net] to prevent this kind of chicanery. I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.

    (yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)
    • The links appear just fine in Opera, with no need for plug-ins or to disable JavaScript.

    • Re: (Score:3, Informative)

      by Qzukk (229616)
      (yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)

      In SeaMonkey, it's:

      dom.disable_window_open_feature.status true keeps new windows from being opened without the status bar
      dom.disable_window_status_change true keeps the current window statusbar from being changed.

      The latter is available under prefs - advaned - scripts and plugins.

    • Re: (Score:3, Informative)

      by Strange Ranger (454494)
      I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.

      It does:

      Tools|Options| Click the Advanced button that is next to the checked box to enable JavaScript| Uncheck the box to Allow JavaScript to Change status bar text.

      • Re: (Score:3, Interesting)

        by bill_mcgonigle (4333) *

        It does:

        Tools|Options| Click the Advanced button that is next to the checked box to enable JavaScript| Uncheck the box to Allow JavaScript to Change status bar text.

        Very interesting - on mine it's under Preferences, Content, Javascript, Advanced, but disallowing it there doesn't stop Google. Perhaps my NoScript permit rule is preempting Firefox's.

      • Re: (Score:3, Informative)

        by Kalriath (849904)
        Internet Explorer has a similar one:

        Tools > Internet Options > Security > Custom Level > (Scroll down to) Scripting > Allow status bar updates via script.

        (Im out of breath after quoting THAT maze)
    • Why would Google block the most obvious auditing tool for users to at least have some idea of where a click is taking them?

      Why would Gmail make no effort to identify where a sent e-mail is received from (no X-Originating-IP or HTTP received from)?

      Why would Google (probably) put a whole bunch of referential material [slashdot.org], potentially at odds with common personal privacy policies, in web ad links?

      Inquiring minds...

    • Re: (Score:3, Informative)

      by damium (615833)

      It doesn't help to deny changing the status bar text. The way google manages this is by rewriting the link on a mousedown event. So, it starts out going to the proper place, but when you click or right-click it is re-written to go to the redirect link. Ad links are a bit different in that the container of the ad prevents the status bar from changing by overwriting the normal mouseover event.

      Check out any search link on Google. Mouse over. See the text? Now right click on the link. See the new redirection

  • Internet Explorer has always been insecure. Anyone who uses it accepts that their system is essential public property.
  • How long until someone makes an ad that buffer overflows IE. There are probably many out there, but it could be an actual internet attack if it also used Google's ad service.

  • Well sorry to say (Score:5, Interesting)

    by Ilgaz (86384) * on Wednesday April 25 2007, @07:18PM (#18878807) Homepage
    Google had this coming for a long time. I know it will make some people mad but that "thing" they call Adwords must immediately change. They pay users like Amazon for filtering or do some advanced Ajax tricks, it is their choice.

    I am actually seeing spyware/grayware vendors advertising on Adwords and I am using Safari OSX, I am not at their target audience even. I can't imagine stuff actual target audience (IE users) get. These are the very same people who claims random rivals products "badware" just because poor thing tried to check for updates.

    They recently banned site of Jim Mitchell, a well known/popular OS X support engineer/developers page claiming he is playing some games with their advertising platform, polite way of saying guy is thief. It turns out, there are spammers featuring copies of popular blogs making money from them.

    http://jimmitchell.org/2007/03/08/is-google-adsens e-really-fair/ [jimmitchell.org]

    I go nuts when my frequently used tiny usenet group is spammed by spammers using Google groups with Google Mail (verified,real) address, when I head to pirate site to report them, I notice their one and only income is? Google Ads!

    So now actual Virus linked? Not big deal at all. Hope it would make them THINK and learn from a company thinking they can do anything and it won't harm them in 1990s.

    One last thing, if you are on a secure platform, go check http://zlashdot.org/ [zlashdot.org] , yes "Typosquatting", lowest form of online mafia. See the search bar on top? See the advertising provider? End of discussion :)

  • It's not the browser, it's at Google's end. (Score:5, Informative)

    by Animats (122034) on Wednesday April 25 2007, @07:29PM (#18878921) Homepage

    It's worse than that. The URL Google displays for the link is, of course, not the actual link; the actual link goes to Google so they can log the click-through. But the link to Google may in fact cause redirection to a completely different third-party domain, usually some ad broker who is doing arbitrage on the click-through.

    Here's an example, obtained by searching Google for "mortgage rates". This is a direct Google result from Google's home page.

    <font size=+0>
    <a id=an4 href=/url?sa=L&ai=BMHn-CuwvRs7QLpOYgQO0vMmWBoO9jRX zgpWxAvvb3gfg3X0QBBgHKAg4AFDj9Mzv_v____8BYMn2-IbIo 6AZyAEByAL77xXZAw3PC8TgQncC&num=7&ggladgrp=2585635 35&gglcreat=543052995&q=http://pixel-user-1042.eve resttech.net/1042/rq/3/543052995_mortgage%2520rate s_s/url%3Dhttp%253A//www.lendingtree.com/stm3/offe rs/marketpromov34.asp%253Fpromo%253D00224%2526loan _type%253D1%2526esourceid%253D835910%2526source%25 3D835910%2526EF%253D1%2526partner%253DGoogle%25268 00num%253D800-460-8109%2526adtype%253D1&usg=AFrqEz f58V3yFBM0ywyFkKryLzAMqmIWRQ><b>Mortgage</b> Rate Offers</a>
    </font><br>
    $400,000 for Only $1,334/Month!<br>
    Refinance Now, Offers in Minutes.<br>
    <span class=a>www.LendingTree.com</span><br>
    <br>

    Note that field coded into the URL on the A tag: q="http://pixel-user-1042.everesttech.net". That's where Google is going to send you. Not to Lending Tree, but to EverestTech.net. Who's "Everesttech.net [everesttech.net]? An ad broker, or as they put it, "the leader in Search Engine Marketing".

    This creates a new attack vector. The Google ad often shows the name of some well-known business, but actually takes you to some place you never heard of. That gives the third party an opportunity to try browser-based attacks.

    This isn't just theoretical; it's in the wild. See this article on Webmaster World: " I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program." [webmasterworld.com]

    It's not clear how to deal with this. The example above is from Google's main site, not "adwords.google.com".

    • Re:It's not the browser, it's at Google's end. (Score:5, Informative)

      by Animats (122034) on Wednesday April 25 2007, @07:56PM (#18879167) Homepage

      There's more. Definitely read the blog section at Webmaster World linked above [webmasterworld.com], which is being updated rapidly. Apparently it really is a virus. "It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account." The pay per click people are panicking, because they're billed by Google for the ads. "The daily budget was increased to a number that would have produced a 7 figure Monthly payout." The details of exactly how this all works are still sketchy, though. Here's an early technical analysis. [blogspot.com]

      It just hit the mainstream press, in the Washington Post [washingtonpost.com]

      • Re: (Score:2, Interesting)

        by cottagetrees (1093331)
        No, what the Washington Post was reporting wasn't a virus. It was an exploit that attempted to install a driveby downloaded keylogger. What you're seeing at Webmaster World is interesting, but probably unrelated.
  • Approximately concurrently with this, some Adwords advertisers have discovered that their accounts have been hijacked using a similar technique. Ads that they did not write were added.

    Oddly, in at least one case the hijacker added their OWN credit card information to the account to pay for the ads! (Perhaps to try to avoid detection when the advertiser's credit card bill arrives.)

    There are some first-person accounts by advertisers at WebmasterWorld:

    http://www.webmasterworld.com/google_adwords/33200 21.htm#m [webmasterworld.com]
  • Now Google is going to jack up their search price to compensate for all the people that won't click on their ads... what are we thinking here... $2 per search? Maybe they'll do a bargain deal. $10/day of unlimited searching?
  • to boycott and block google, doublecrook and any related sites.
    Smoothwall + adzapper = happy days!

    I disallow anything related to google on my lan.
    No machine on my lan can access anything that google owns, operates, controls, manipulates, etc..

    Google = EVIL..

  • Browser toolbars like AdBlock and other security tools probably now need to filter AdWords. Something like this would work:

    • When a link to a Google AdWords site is found in an HTML "a" tag, extract the "q" and "adurl" fields from the URL. Extract the base domain (i.e. www.example.com => example.com) from whichever of those fields is present.
    • Extract the text within the A tag. Strip blanks and convert to lower case. Extract the base domain from that.
    • If they don't match, the ad doesn't go where it

      • That's going to be a problem. Now that there's an attack which works through redirects, the ad-tracking industry may have to stop using them, or Google may have to limit them to "trusted third parties". (DoubleClick?) Probably wouldn't bother Google if they had to enforce that rule for security reasons.

        Right now, Google seems to claim [google.com] that the destination URL and landing URL should be the same, so AdWords users can't really complain if they start enforcing that rule.

        It's useful to examine those redir

  • Doesn't this make the virus writers pay? (Score:4, Insightful)

    by tlhIngan (30335) <slashdot&worf,net> on Wednesday April 25 2007, @11:12PM (#18880475)
    Maybe I'm missing something here, but it seems that if these virus/worm/malware writers are buying Google Ads, then they're paying for the links.

    Shouldn't it be possible then to do these searches, find out which ones lead to the virus, and just click from a safe browser? Surely it's possible to cost these people tons of money (to pay Google), and no returns (because no one gets infected)? Or at the very least, we'll end up hitting their click limit and their ads don't show anymore.

    If it happens to be a hacked Google account, well, then maybe the owners will secure their site better (a third party hacked site distributing malware is just as bad)? At least it will get them off the rotation earlier so maybe they'd get a clue why their account needs money but there's no follow-through.
  • So people who are newbiesque enough to run old versions of IE are likely to look at the status bar and mentally parse the URL before clicking on a link?

    -b
  • And here I was thinking that the fact that a tiny bit of javascript can put anything you want into the status bar when you hover over a link were common knowledge, and has been for at least 10 years.

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Well, not being able to click on them isn't really the problem. Adsense ads rely on JS to be displayed in the first place. I'm not sure about the sponsored links, though. I doubt that those rely on any JS to be displayed, or even to be clicked on... just redirects for counting purposes.
    • > Who wants to bet that you can't click on a google Ad-Sense link w/o javascript turned on.

      Well, yes, you won't see the link without Javascript enabled for the website displaying the ads. But if you use Firefox + NoScript, you can have Javascript enabled only for that website, so you can click on the link (relatively) safely.

      I do it all the time when I see an interesting ad from trusted websites, in order to generate a little income for them. I'd say >95% of the pages I arrive at don't work properly s

    • Re:Better Business Bureau (Score:4, Insightful)

      by martinX (672498) on Wednesday April 25 2007, @07:55PM (#18879153)
      Perhaps pr0n seekers, as a group, are more net savvy these days precisely because so much has been targeted at them. The new set of n00bs are the ones looking for the Better Business Bureau etc. Just a guess.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.