Google should investigate customers of its AdWords service more thoroughly to weed out hackers who use advertisements to launch malware attacks, experts have warned.
Researchers at security software maker Exploit Prevention Labs said they had uncovered hard evidence that malware distributors were using advertisements placed via Google's automated AdWords system to infect unsuspecting end-users with virus code.
Roger Thompson, chief technology officer at Exploit, said the malware brokers used fraudulent advertisements for legitimate organisations to trick users into clicking on the links.
AdWords allows businesses or individuals to bid for specific words, ensuring that their advert appears with search results for those terms. The highest bidder gets the best advertising placement, or “sponsored links”, next to Google's web search results.
Thompson said his team discovered that a number of the advertisement-borne threats had been built to show up alongside search results for information on business conferences.
Google said it had cancelled the affected advertisements after it was informed of the situation. "We actively work to detect and remove sites that serve malware to our users both in our ad network and in our search results," the company said.
"We have manual and automatic processes in place to detect and enforce these policies; we also encourage our advertisers to contact Google directly if they have concerns or detect suspicious malware."
But Thompson and other security experts claim that the problem exists because Google does not sufficiently police its advertisers.
"Google says they are doing the best that they can, but their business model is to take as much money as they can for advertisements. No matter how much due diligence they do, it's a difficult position to be in, but clearly they are not doing enough," Thompson said.
"If they don't do a better job of vetting their customers, we will see this sort of thing happening again and again."
Harvard Business School assistant professor Ben Edelman, an expert on legal issues affecting the internet and online advertising, said he had observed similar activity on Google as far back as a year ago.
"The big problem is that Google sells ads to anyone, without completing any due diligence to determine who they are or that the content they are advertising is legitimate," Edelman said.
"We've been writing about this problem for years and nothing has been done about it. Apparently anyone who pays the bills is good enough for Google."
He added: "People treat sponsored results as safe because they believe that Google has filtered out the bad stuff, which they should, because legitimate publishers such as print or broadcast companies do that.”
"It's highly likely that these malicious ads appear throughout the Google network, including in Gmail, and they may also show up on sites like AOL and Ask.com that are advertising syndicates."
Edelman said that the only answer to the problem, which he said affects most search engines, not just Google, is for search companies to better police their advertisers, or for lawmakers to force them to do so.
"I think a lot of people might favour legislation to make it clear that search engines have the same responsibility to verify ads that print publications have today," Edelman said. "It's the search engine companies' responsibility to do a better job of protecting their users."