Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Advertising

Google Gave Top Spot For 'Home Depot' Searches to a Malicious Ad (bleepingcomputer.com) 69

"A malicious Home Depot advertising campaign is redirecting Google search visitors to tech support scams," claims Bleeping Computer.

Slashdot reader nickwinlund77 shares their report: BleepingComputer searched for 'home depot' and was shown the malicious advertisement on our first try. Even worse, the ad is the top spot in the research result, making it more likely to be clicked... [T]he ad clearly states it's for www.homedepot.com, and hovering over it shows the site's legitimate destination URL.

However, when visitors click on the ad, they will be redirected through various ad services until eventually they are redirected to a tech support scam. Ultimately, the visitor will land at a page showing an incredibly annoying "Windows Defender - Security Warning' tech support scam. This scam will repeatedly open the Print dialog box, as shown below, which prevents the visitor from easily closing the page.

To make it more difficult for security professionals to diagnose these ads, it appears that they only redirect to the scam once every 24 hours to the same IP address. Once a tech support scam is shown by clicking on the ad, subsequent clicks bring visitors to the legitimate site.

This discussion has been archived. No new comments can be posted.

Google Gave Top Spot For 'Home Depot' Searches to a Malicious Ad

Comments Filter:
  • facil areglar (Score:5, Informative)

    by rmdingler ( 1955220 ) on Sunday January 31, 2021 @09:49PM (#61013870) Journal

    Scroll down past the ad clicks... it costs you microseconds, and bypasses the malicious.

    • Re:facil areglar (Score:5, Insightful)

      by Anonymous Coward on Sunday January 31, 2021 @09:55PM (#61013888)

      I wonder how something like this could happen?

      Oh, that's right. Google makes $120 Billion a year from ads, there are ZERO consequences for serving malicious ads, which means there is ZERO incentive for them to prevent this from happening.

      • Well sure, and if you're still holding on to the Disney-like plot that propagates the comfortable myth that Google does no harm, that's enough. Though, If your belief set is somewhere toward the skeptical bend, perhaps you'd, at a minimum, scroll past their first 4 paid cickvertisers.

        The mighty Goog is kind enough to mark the 1st several paid advertisers as paid... you'd be silly af to click there. At the very least, for your own protection, click on one of the more expensive undesignated advertisements fur

      • Oh, that's right. Google makes $120 Billion a year from ads, there are ZERO consequences for serving malicious ads, which means there is ZERO incentive for them to prevent this from happening.

        That's not true, if the fraud/malware increases, then people will lose trust in them. As long as no more than 30% of ad impressions are fraud, then they are ok, customers will not leave them.

      • Which means there is zero reason for everyone to tell their browser to show ads rather than filter them out.
      • by AmiMoJo ( 196126 )

        There are huge consequences. Many Google ads are not shown on Google sites, they are shown on 3rd party sites who they split the revenue with. If they start serving up malware regularly those sites will drop them.

        Not to mention users who will distrust them and IT departments who will block their ads for security reasons.

        Your theory fails the most basic test. If there really were no consequences then we wouldn't be reading about it, it would be the norm.

        Considering that they are the largest ad network and ha

      • Re:facil areglar (Score:4, Interesting)

        by NewtonsLaw ( 409638 ) on Monday February 01, 2021 @10:31AM (#61015500)

        Yes, Google will overlook anything for money.

        This is especially true on YouTube where it's so quick to demonetize videos, delete channels and generally treat creators with contempt yet allows scammy ads to run for protracted periods, even when thousands of people have complained and videos have been made about them:

        Just look at this video and the 660 comments it has, many of which are from victims of this scammy video ad that still runs to this day on the YT platform!
        Wow, a huge RC jet plane for just $29 [youtube.com]

        "Don't be evil -- unless you're willing to pay"

    • instead of making a better product and/or service, somehow they are allowed to help scam artists, frauds, criminals, and other malevolant actors to permeate their marketplace, target children and the elderly and other people who cannot be expected to know better... .... and they get defended by the people who should be most critical of them.

      all of the tech giants have the money on hand to hire hundreds of thousands of people to police and moderate their marketplaces and they refuse to do it.

      the government n

      • by robsku ( 1381635 )

        If the government does not, I will come on them.

      • all of the tech giants have the money on hand to hire hundreds of thousands of people to police and moderate their marketplaces and they refuse to do it.

        And you think those hundreds of thousands of people would all be plaster saints? Among the first people they recruit for the job would be crooks using the position to make things even worse. It is like scammers who get jobs at ISP and telecom company call centres just to obtain, and then use or sell, customer data.

        • implement cross checks and dual or triple control on risk you can make sure the few psychopaths dont destroy the business for everyone else.

          just like at a manufcaturing factory with 10,000 workers. its just work.

      • ...And the other search engines would never do this ... oh yes they all do ...

        And the ad could be reworded, and redirected after acceptance by Google ...

        How do you regulate something like this where an ad can be accepted deployed, changed and rejected in a few seconds?

        • maybe increase it to 30 seconds and put it in a work queue with 10,000 people on the clock watching it.

          take the giant brains that solved 10,000 problems to build google and make them solve the 10,001st problem.

          its not hard.

          hence why the government needs to get involved, to force them.

    • by Cederic ( 9623 )

      What ad clicks?

      Maybe I should uninstall my ad blockers to see what's happening.

      Maybe not.

    • by tlhIngan ( 30335 )

      The problem is Google is very irregular at showing ads as the very first link.

      The first link is usually the one you want - if you google Wikipedia like 99% of the people who use Google do, it will take you to Wikipedia. If you google a company, the company is the first link, but almost always there's an ad that's identical in the first link spot.

      If you're not expecting the ad you can often click the ad due to muscle memory.

      It would be easy if Google always showed you an add so you scrolled down. But if your

    • by robsku ( 1381635 )

      What ads? I don't see any ads ;)

    • Scroll down past the ad clicks... it costs you microseconds, and bypasses the malicious.

      Better yet, install a PiHole for $50 and redirect your DNS server lookups. Even the uninformed are protected.

  • by RitchCraft ( 6454710 ) on Sunday January 31, 2021 @09:49PM (#61013872)
    My dealings with Home Depot's (or any big "home supply" chain) support areas have left me feeling scammed.
  • by neonman ( 544 ) on Sunday January 31, 2021 @09:54PM (#61013886)

    In the olden days, you had to talk to a human to buy advertising. Publications couldn't shrug off responsibility for the content of the ads that they ran, and the identities of the ad buyers were well known. This is still generally true for print publications. Greed is the main reason why we don't see this in the case of major Internet platforms.

    • by Sebby ( 238625 )

      Greed is the main reason why we don't see this in the case of major Internet platforms.

      That, and race-to-the-bottom pricing, causing loss of revenue for the websites due to low rates. That needs to go away for good. Same with automatic stock trading.

      • In the 1990s, when the web for started, most sites were run by one person or a handful of people. We found out that through these things called "computers", we didn't have to manually do everything on paper anymore.

        We could compete with established companies because on the web you no longer NEEDED to have a call center full of employees for the customer to give the info to a salesclerk, who would then type it into the system. (While hearing a couple things wrong). With the beautiful [form] tag the customer

        • "We found out that through these things called "computers", we didn't have to manually do everything on paper anymore."

          A few of us figured that out before the Internet. FIDO, for instance, though I was emailing and texting via a small, insular community on PLATO.

    • It's easy to blame greed, but that doesn't mean it's accurate. Google is a tech company. Automating things is what they do. It is their nature to seek out things they can have a computer do instead of a person and to make it happen. That is, "the main reason why we don't see this in the case of major Internet platforms", not greed.

      It's like the old cliche about how if you're a hammer everything looks like a nail.

    • by AmiMoJo ( 196126 )

      Google's system is human reviewed.

      When you sign up your first few ads are checked by a person. As you prove yourself trustworthy they start checking less often, although of course they still run automated checks such as making sure any URLs you link to do not contain malware.

      Clearly it works too, otherwise the fact that it failed one time wouldn't be news.

      BTW, in the olden days the human oversight didn't stop scams. Comic Tropes did an episode about the ones they used to have in comic books. There were comm

  • Not that the people who made their better decisions had much to do to prevent this, but I noticed a while ago that Home Depot did some pretty smart work on buying other domains to redirect to Home Depot.

    For example, if you type in "homedeport.com" (by accident or otherwise), you'll go straight to homedepot.com without noticing anything amiss. More cunning on their part though if you should happen to mistype a certain competitor's website (liwes.com instead of lowes.com) you'll also be immediately redirected to homedepot.com.
    • by Anonymous Coward

      I just did a search for "home depot" and about halfway down the page is a link for Lowes, one of their main competitors. Yes, I know how/why that can happen and that's the problem -- a lot of fuckery is being allowed to go on. Returning results for anything other than exactly what I typed is borderline fraudulent.

      • Sounds about right for the accuracy of google anymore. Not a day goes by where I don't have to put quotes around something because google ignored my terms.

      • Well yeah, if you gotta go halfway down the page because Home Depot doesn't have what you want, isn't nearby, has already closed for th night, or whatever - Lowe's would be the next thing you'd likely want to see.

      • Had you been around in the 'beginning', you would recall that when buying search terms first got going, Honda and Toyota were trying to buy each other's name to redirect to theirs. One won, one lost. Then it got complicated, and well it wasn't enough to block doubleclick.com any more.

    • Companies will often buy domains of misspellings of their name, to avoid being impersonated, but also often to avoid other more embarrassing sites being put up (think homedepotsucks.com, etc)

    • by ugen ( 93902 )

      liwes.com takes me to lowes.com, so there is that.

  • by Presence Eternal ( 56763 ) on Sunday January 31, 2021 @10:36PM (#61013988)

    The best antivirus software is an adblocker.

    • Some top VPN's also HAVE to block many advertising sites that would give up your identity, especially scan support sites, has they need to query your browser and cookies for fingerprinting. One starting with the letter V has a cybersec addon, that is ok, and getting better. The sweet thing is the VPN provider in incentivized to save money by blocking garbage and ads. Some Anti-Virus products also babysit on mean webpages and unsafe scripts. There is a big difference in blocking in-your-face-scams, and PUNIS
  • More than once, on very legitimate sites, I’ve had these support scam scareware warnings pop up, often without any interactions from me.

    And when I report it to the site(s), they usually blame me for it or dismiss it as something they don’t need to bother with.

    So, websites that depend on ads for revenue, don’t come crying when I block ads - between you getting money or me getting some virus or ransomware or similar from an ad you allowed to be served on your site, you’re always going

    • by dwywit ( 1109409 )

      Although not a scam, I got denial when I reported something I felt was inappropriate.

      Watching/listening to "Music for the funeral of Queen Mary" (Purcell, if you're interested), up pops an ad for a local funeral service company.

      I sent them an email along the lines of "If I've recently lost a loved one and I'm seeking solace in some dramatic, emotional music, the last thing I want to see is an ad from you"

      They denied that they advertised on YT - they at least had the courtesy to reply to me, and then when I

      • by cusco ( 717999 )

        I thought marketing people were supposed to be smart.

        Whatever gave you that ides? I take it you've never met any, from my observations their principle talent seems to be schmoozing and butt kissing.

        • Clearly then marketing is a complete sham. Nobody sells anything. And nobody listens.

          One of those statements is palpably false. This does not discredit the others.

          • by cusco ( 717999 )

            Oh, I won't deny that Madison Avenue is the world leader in manipulation and mind control, far surpassing anything the CIA or KGB ever dreamed of. I'm of the opinion that it must be attributable to a few almost-anonymous geniuses though, because pretty much every front-line marketing person that I've personally dealt with was only a step above a used car salesman.

  • by swm ( 171547 ) <swmcd@world.std.com> on Monday February 01, 2021 @12:00AM (#61014222) Homepage

    My wife got hit twice.
    Pro tip: never click on an ad.

    • My wife got hit twice.
      Pro tip: never click on an ad.

      Or e-mails from people you don't know, but since the advent of the internet have been numerous people who can't tell the difference. Google needs to be responsible for their ad content to make sure browsing though google is reasonably safe. I think avoiding malicious paid ads is near the top of what they should be responsible for.

    • My employer ended up blocking a whole slew of the domains involved, months ago. Ridiculous. People are people, change is a slow slow process sometimes. But I wish they would stop searching for a specific site and then clicking on the first link in the search instead of just going to the place directly.
    • Stop htting' yer wife.

  • Who needs any human oversight.
  • by aepervius ( 535155 ) on Monday February 01, 2021 @01:55AM (#61014420)
    Well here it is, a genuine example of malicious ad on a top spot. I am bookmarking this one. It is always good to have teaching material.
  • The key problem is that it's in Google's interests to show these scam ads because they make more money. There is no punishment for Google that would adversely affect their market position. Some users will be disadvantaged, but (1) users don't have any viable means of complaint, (2) there is no avenue for government sanction, and (3) there is no significant practical market alternative.

    Yes, these ads directly contradict Google's mantra that these ads are good for users, but that mantra is just marketing.

    • by dwywit ( 1109409 )

      "users don't have any viable means of complaint"

      Yes, there is. Contact the product's/service's company (in writing, not just phone or email), and tell them that you will not consider their product/service while they refuse to sanction google for this behaviour.

      It might sound trivial, but there's a thing in marketing (I don't know if it's still valid), that used to go - for every person who takes the trouble to complain, there are another eight who simply never consider your product again. If enough people t

      • "users don't have any viable means of complaint"

        Yes, there is. Contact the product's/service's company (in writing, not just phone or email), and tell them that you will not consider their product/service while they refuse to sanction google for this behaviour.

        The original article talked about a scam company that advertised with Google. Obviously, that's not a company that users would want to contact or that would be willing to sanction Google. What about public pressure on legitimate companies to pull their ad money? Last year's experience with big companies pulling their ad money from Facebook showed that the so-called boycott didn't matter, i.e., Facebook only responded somewhat after the campaign when it didn't matter.

        My original comment that user don't ha

  • Aren't Google ads basically HTML + URL?
    How are those ads adding javascript to their URL? Surely Google is able to filter that out easily.

    • No need of extra JS. Purchase a Google ad and in the title and keywords mention "Home depot".
      • Sure, but read the summary again:

        [T]he ad clearly states it's for www.homedepot.com, and hovering over it shows the site's legitimate destination URL.

        So again, the question is: how did the ad do whatever trickery it did?

        • Sure, but read the summary again:

          Why "again"? Hard to discuss this without the full technical details, but it's not Google habit to allow users to inject some JS somewhere...

          • Maybe the guy has some extension that does the trick... recently many extension scams have been revealed.
            • So if this was the case then the hack was done via an extension, which means not all users were affected, which basically mean this whole article is clickbait once again.

        • The Fine Article has an image that shows the network requests:

          www.google.com /search.... [initial search page]
          www.google.com /aclk... [the actual link from the click. redirects to the following]
          clickserve.dartsearch.net /link/click...
          ad.doubleclick.net /ddm/clk/...
          depotskylight.online /
          callsupportforassistance5.ml /callsupportrightnow [final landing page]

          The first screenshot on the page appears to be a chrome based browser (?) which may explain why the mouseover text shows homedepot.com instead of the true

  • by AlexHilbertRyan ( 7255798 ) on Monday February 01, 2021 @06:38AM (#61014882)
    The myth of Advertising being effective is the 21st C big lie, taking over slowly that of religion.
    • by way2slo ( 151122 )

      Anyone with kids that watch TV could make an argument that Advertising does work. Or kids that watch streamers and then beg you to get the game that streamer was playing.

      On a deeper psychological level, just seeing the add for a brief moment is enough for our brain to recognize it and remember it. Familiarity can really influence decisions when all else is equal.

      • Two problems, most of the world are not kids, secondly lets pretend kids are watching a few hours a week of YT etc. Thats a lot of ads, maybe a 1000, theres no way any parent is buying a fraction of the items prostituted in front of their kids.
  • I haven't personally seen it happen in a couple of years (probably because I don't handle end-user issues much anymore), but this is hardly new. I've seen people google Walmart (because it was too hard to type .com?) and end up at support scam pages from the top result. And that's just one of a dozen times I've seen Google's top result be a scam page. I get users calling me because their computer is yelling at them about viruses, and what does their history show? Google sent them to a scam site.
  • Three years ago, my mother willingly gave control of her computer to thieves in India. She didn't want to bother me when she thought that Amazon Prime streaming was not working, so she typed "amazon prime telephone number" into Google. The results she received were 100% fake phone numbers for thieves in India who got her to install a trial version of LogMeIn, took control of her computer and started charging hundreds of dollars of digital goods to her Amazon account. Fortunately, I managed to stop the opera

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...