Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Google The Internet Businesses Security

Google Deletes Rogue Ads, Dangers Persist 63

An anonymous reader writes passed us a link to a PC World article about attempts by Google to curb malicious ads via their popular service. The article is somewhat bleak, though, because researchers see the fix as nothing more than temporary. "'Search engines are just too easy a target for bad guys,' says Roger Thompson of Exploit Security Labs. On April 25, Exploit Prevention Labs reported that malware distributors were using advertisements placed via Google's automated AdWords system to infect unsuspecting end-users with spyware designed to capture bank login user names and passwords."
This discussion has been archived. No new comments can be posted.

Google Deletes Rogue Ads, Dangers Persist

Comments Filter:
  • by Scott Lockwood ( 218839 ) * on Saturday April 28, 2007 @01:46PM (#18913153) Homepage Journal
    I'm amazed at what you can, and cannot do with the service. Just today, I found that you cannot remove an old bank account from adwords. Amazing. Even Paypal gets that right.
    • no it doesn't. (Score:3, Informative)

      by Anonymous Coward
      no it doesn't. I've deleted multiple bank and credit card numbers from my paypal account, and they have a way of magically re-appearing. It's freaky, and I really don't like it. I'm sure others have experienced this too...
      • Very odd. I've used paypal since it's inception, and I've never had that happen.
      • Yup. Me too. Took over four years (4!) for me to get just one account straightened out with Pay"pal". I'm not sure they ever did, actually. I stopped checking after the last time the vampire died because it bothered me too much to see the damn thing back at the old stand all the time.
  • by xintegerx ( 557455 ) on Saturday April 28, 2007 @02:00PM (#18913241) Homepage
    About 6 months ago, a web site showed an AdBrite "please click up top to continue" full page ad. Except, this wasn't a picture, but an actual web page.

    The ad itself looked like a blue, medical stock template with a nonsensical press release inside of it. It didn't look like an ad, but an unprofessional scam. Well, my antivirus went off either at that page, or when I clicked to investigate it. The home page itself consisted exactly of that same type of garbage.

    So, Google Ads are dangerous because they take you to web sites of hundreds of thousands third party web sites nobody heard of before. AdBrite sticks those pages right into the ad so you can be infected even without clicking on anything; and because of that, you're screwed even if you have an ad-blocker software, because those ads are pulled straight from the advertiser's web sites.
    • M$ Search is Worse. (Score:3, Informative)

      by Erris ( 531066 )

      Microsoft's search excels in spreading malware [theregister.co.uk]. How's that for cold water on this Google slam?

      • Great, so they both suck. I don't see how Microsoft sucking makes Google suck any less on this one.
      • Slam? (Score:1, Troll)

        by The Bungi ( 221687 )
        Hi twitter [slashdot.org].

        How's that for cold water on this Google slam?

        So reporting an issue is a "slam" now? That is, unless it's about "M$", right?

        "This is bad, but look over here, some more bad stuff and creative spelling!!"

        I bet you're a big fan of Faux News.

        • Slam and Advert (Score:4, Insightful)

          by Erris ( 531066 ) on Saturday April 28, 2007 @03:42PM (#18913811) Homepage Journal

          The Bungi Troll asks:

          So reporting an issue is a "slam" now?

          Yes, it's a slam if you only report half the issue. All of the search engines have this "problem" and M$ has it worse than others. The unmentioned root cause of the issue is a crappy browser and OS that's easy to exploit, yet somehow it's all Google's fault. That is a Google slam.

          This is par for the course in the Wintel press world. The article ends up being an advertisement for Site Advisor, which is just another Windoze band-aid. The reporter who wrote this article needed to do some more research. Because they did not, they ended up slamming Google.

          • The Bungi Troll

            http://slashdot.org/~twitter [slashdot.org]

            Yes, it's a slam if you only report half the issue.

            So that's a bit like talking about botnets and your desperate denial of the existence of Linux botnets with tens of thousands of machines?

            The unmentioned root cause of the issue is a crappy browser

            They don't have to "mention it", because the root cause is an unpatched crappy browser. Quite a different thing.

            • by bmo ( 77928 )
              "So that's a bit like talking about botnets and your desperate denial of the existence of Linux botnets with tens of thousands of machines?"

              Tens of thousands?

              I don't really know about that, but let's take that number at face value and compare that to what Vint Cerf has calculated: he figures that 1/4 of all Windows clients are bots.

              http://arstechnica.com/news.ars/post/20070125-8707 .html [arstechnica.com]

              That's 150 MILLION machines compared to your purported "tens of thousands". The Bible says something about removing a log
              • I think you're missing some context here. I would never try to argue as to the number of machines in botnets that belong to a particular OS. The vast majority of them are running Windows. This really goes back to an incident where "Erris" here (actually his other suckpuppet account) dared someone to provide proof that any "GNU/Linux" machine was in a botnet. Of course, he was given the proof, after which he curiously decided that he didn't want to participate in the discussion anymore. That's all.

                Having s

                • by bmo ( 77928 )
                  So let's just say that Vint Cerf is off by 50 percent in the wrong direction. So I'll pull a number out of my ass and say 1/8. That's still a ton.

                  "dared someone to provide proof that any "GNU/Linux" machine was in a botnet."

                  Well, that's just silly. If I want amusement, I'll put SSH back on 22 and watch the bots hit the logs.

                  "It's interesting no one else bothered to question that number."

                  That number is plausible to me. Most people are running around with expired AV and Anti-Spyware, which is _worse_ IMO
                • This really goes back to an incident where "Erris" here (actually his other suckpuppet account) dared someone to provide proof that any "GNU/Linux" machine was in a botnet.

                  You are putting words into my mouth or someone else's. From other comments you've made, I'd say you were doing it on purpose as part of your pathetic Microsoft defense.

                  The truth of the matter is very simple. GNU/Linux comes out of the box spyware and malware free and is easy to keep that way. Windoze comes loaded with spyware an

                  • Deny what, flocktard? [slashdot.org] That "Windoze" comes "preloaded with spyware"? Whoa, that's going to prove just damn hard.

                    I can't imagine why anyone would actually say that other than not nowing any better or being paid to spew retarded FUD about Microsoft.

                    • by Erris ( 531066 )

                      Deny what, flocktard? That "Windoze" comes "preloaded with spyware"? Whoa, that's going to prove just damn hard. I can't imagine why anyone would actually say that other than not nowing any better or being paid to spew retarded FUD about Microsoft.

                      I love how you losers get all angry when people say bad things about M$. What have they ever done for you?

                    • You are like a bad joke - conjured up and unleashed on teh interwebs to ensure that free software is ridiculed to no end.

                      And you smell funny.

                      Other than that, you are free to say all the "bad" things you want about "M$". Just don't be surprised when someone questions your FUD.

              • you run sshd on any port other than 22 ... Joe and Josephine User don't run services, or at least shouldn't. Gone are the days of Linux shipping with tons of services turned on by default - they must be configured and started by the owner.

                Off by default is a good policy but people should be encouraged to share and the ability to do so without being screwed is one of the biggest benefits of free software. OpenBSD's sftp is excellent and well implemented on GNU/Linux systems. It can only be brute force at

          • By that logic, a reporter discussing Darfur is engaging in a slam if they don't document prior abuses by other nations. Do you stand by your evaluation in that light?
    • Well, my antivirus went off either at that page, or when I clicked to investigate
      I've gotta say... if you didn't click to investigate it, you would very likely not need antivirus.
  • by Animats ( 122034 ) on Saturday April 28, 2007 @02:10PM (#18913307) Homepage

    This vulnerability in AdWords exists because Google made them "reseller-friendly." That needs to stop.

    When you click on a Google AdWords ad link, the link goes to Google, not to the destination site. Then Google's ad link server looks at the URL, logs the click, and does a redirect to the site specified by the advertiser. That isn't necessarily the destination shown in the Google ad. It's often some "ad broker" or "affiliate", which wants to see the click event for "tracking". That's what created the vulnerability. Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

    Google does check, when the ad is purchased and occasionally thereafter, that the link sold with the ad eventually redirects to the purported destination, or what Google calls the "landing site". But that's not good enough any more. Attackers can create ads which attract innocent users, run them past the attacker's site where the attacker gets a shot at them, then direct them invisibly to the destination. That's how this attack works.

    It's time to cut the middlemen out of the loop. Google ad links need to go directly to the destination site, only. "Ad brokers" and "affiliates" will have to use Google's own ad tracking numbers. This might require outside auditing to be trustworthy.

    That would cause some disruption in the ad-broker / "search engine optimization" business, although they'd adjust to it. It's going to be interesting to see whether Google chooses to protect its search customers or its ad brokers. That will tell us whether Google has abandoned "Don't be evil".

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Re-directs, while disconcerting, are not the main problem. These exploits often find their way into trusted sites too. The Super Bowl site was hacked with the ANI exploit right before the Super Bowl. Thousands of trusted sites are hacked today, and they're in Google/Yahoo/MSN's organic search results. The criminals hack into a site, insert a simple link into the HTML, and voila, a portion of every unsuspecting visitor's browser's session is re-directed to an exploit server. Also, even if Google elimin
    • From the fine article:

      If someone clicked a booby-trapped sponsored link they were the ad would redirect their browser through URLs that attempted to automatically download a virus program (MSO6-014) onto their computers before passing them along to the actual sites that were advertised.

      The problem is that so many people use a crappy browser that allows the attacks [microsoft.com]. Malicious people are going to put their stuff on the web and that's not Google's fault. To top it all off, Google is doing a better job figh

      • From the fine article:

        If someone clicked a booby-trapped sponsored link they were the ad would redirect their browser through URLs that attempted to automatically download a virus program (MSO6-014) onto their computers before passing them along to the actual sites that were advertised.

        The problem is that so many people use a crappy browser that allows the attacks [microsoft.com]. Malicious people are going to put their stuff on the web and that's not Google's fault. To top it all off, Google is doing a better job figh

      • many people use a crappy browser

        An unpatched crappy browser.

        To top it all off, Google is doing a better job fighting the problem

        How do you figure that, twitter [slashdot.org]? You're linking to the story that details the problem, but did you find the one with the solution? Or are you implying that Microsoft never did anything about it, but Google did?

        Of course, I love this part from that article, in the usual Register style:

        A Microsoft representative says in a statement that "to the extent that spammers are succe

    • by bitt3n ( 941736 ) on Saturday April 28, 2007 @03:03PM (#18913579)

      Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".
      This is even more nefarious because many long-term BoA customers will simply assume the destination URL to be a rare example of corporate transparency.
      • by rcjhawk ( 713563 )
        If snorting beer through your nose after reading counts, mod parent up (funny).
      • I've been a customer of BofA for several years now and have zero complaints. They've always seemed on top of things.

        I've also worked at WaMu (I was a system admin with root on all of their UNIX machines corporatewide). I don't think I would ever bank there.
      • Speaking as a current BoA customer, I tend to agree
    • ive never noticed... mmm i love foxy and noscript/adblock ;)
  • A simple solution (Score:5, Interesting)

    by halcyon1234 ( 834388 ) <halcyon1234@hotmail.com> on Saturday April 28, 2007 @02:12PM (#18913315) Journal
    Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard. All they need are a few machines running XP and an unpatched copy of IE. Make an image of a working machine as a backup. Then, when a new Ad Sense ad is submitted, one of those machine visits the website. If it gets hit with malware, the ad is rejected, and the machine is re-imaged from the backup.

    The philosophy is simple: Anyone who would take advantage of any sort of exploit to install software on an end user's machine is not peddling a legitimate product.

    Of course, a semi-clever malware site admin can write a script that would deliver different content to a Google machine. But I am sure Google has enough disposable IPs and proxies that that won't be a problem. And even if it is, I'm sure they can just Google for a good IP spoofer. (Goofer?)

    It's a trivial matter with an easily implemented solution.

    • by Solra Bizna ( 716281 ) on Saturday April 28, 2007 @02:29PM (#18913387) Homepage Journal

      They can also change the content of the page after it's accepted, so Google would have to check every ad fairly often.

      -:sigma.SB

      • That is true. What about some sort of "verify this ad" button or feature. Let the end user report a potential "no no" ad for verification. It would cover everything from malware to WoW gold-farm ads.

        It's still an "after the fact" solution, but short of forcing people to make immutable ads...

        Of course, given the mindstaggerly awsome amounts of bandwidth Google weilds, doing daily or weekly spot checks on new ads wouldn't be that straining. I mean, it's not like EVERY single ad needs checking. Customers w

      • Don't Google's indexing bots already do this?
    • Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard.

      I don't think it's quite so easy. You figure out how to do that reliably and I'll bet you've got a job waiting for you at Google.

    • by mkw87 ( 860289 )
      Better yet use a VMWare copy of XP?
  • So who's at fault? (Score:5, Interesting)

    by Itninja ( 937614 ) on Saturday April 28, 2007 @02:16PM (#18913329) Homepage
    My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      $PROSECUTION: Your honour i visited the $DEFENDERS website i clicked on a link and i was infected by a trojan which stole my bank account details
      $DEFENDER: that wasnt me it was a google advert that did it
      $JUDGE: and who put the advert code on your website
      $DEFENDER: I did your honour
      $JUDGE: guilty as charged!, 3 years prison for fraud and theft by deception
      $BANK: we would like now to issue precedings against $DEFENDER and $ADVERTISER for theft,fraud,conspiracy,wiretap laws, do you have a form we can fill out
      • by Shemmie ( 909181 )
        I thought a site couldn't be held liable for the contents of sites it links to? Surely if you could, the entire Internet would fall over?

        $DEFENDER: Yes your Honour, I put the link on my site. However, Google links to me. If the proescution hadn't come to me via a Google search, he would not have been infected. Thus, Google are to blame.

        $Google_Defense: Yes your Honour, we linked to his site. However, Microsoft Live Search linked to us.
        ...
        (Optional)
        $Microsoft_Defense: Yes your Honour, we linked to
    • My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....

      The title was, "Who's at fault?" The answer is obviously Microsoft. It's their browser getting blown out and no one else's. Their search engine is also turning up more malware than Google [theregister.co.uk].

      I can't imagine you being sued because someone tricked Google and then did something nasty to someone else

  • I even RTFA (!) and I couldn't determine whether or not Firefox is vulnerable or not. Based on things as usual, I'm assuming it isn't but I really cant tell!
    • I couldn't determine whether or not Firefox is vulnerable or not.

      Well that would depend on what's on the attacking page, wouldn't it? You can't simply say "this attack works only on X," because the attack can change at any time.

    • Re: (Score:1, Offtopic)

      by pembo13 ( 770295 )
      Why is this offtopic? There's more to web surfing than IE+Windows
  • by Myria ( 562655 ) on Saturday April 28, 2007 @03:18PM (#18913663)
    I guess that this gives a whole new meaning to "I'm Feeling Lucky".
  • by aero6dof ( 415422 ) <aero6dof@yahoo.com> on Saturday April 28, 2007 @06:32PM (#18914581) Homepage
    Researchers realize that everybody would be safest if we all just sat in the dark and shunned communication with anyone.
  • There are things which people should do to protect themselves from these kinds of things.

    i) Use a filtering proxy (like Proxomitron [proxomitron.info]) to remove sponsored ads from search engine sites. Or, ignore these ads.

    ii) The very trite - patch your software! The exploited MS IE hole was patched [microsoft.com] over a year ago.

To communicate is the beginning of understanding. -- AT&T

Working...