Google stamps on AdWords exploit

Google has rooted out a scam that delivered malware via the search engine's AdWords advertising system, and even added extra sections to specific banking websites to gather additional information.

Share

Google has rooted out a scam that delivered malware via the search engine's AdWords advertising system.

The move follows calls for the search giant to crack down harder on attackers using the AdWords service.

The scam was a particularly dangerous example of a trend that has become a significant problem for search engines such as Yahoo and Google: hackers using search engine results and advertising links to attack users' systems. The attack also deployed code on bank websites to encourage users to give up additional information.

The attackers drew on phishing techniques by masquerading as well known brands, according to Exploit Prevention Labs, which said it had been monitoring the attack since 10 April until Google shut it down two weeks later.

"This is an issue we've taken very seriously and will continue to monitor," said a Google spokeswoman. "We are also evaluating our systems to ensure that the appropriate measures are in place to block future attempts."

The attackers' links turned up in response to searches such as "Better Business Bureau" - for which the malicious link was the top sponsored link, Exploit Prevention Labs said. Other searches affected included "Modern cars airbags required".

Google has terminated the account behind the attack. Exploit Prevention Labs said it had detected about 20 different search strings that resulted in links to smarttrack.org.

The Better Business Bureau link did lead to the organisation's website - but only after passing through a seemingly harmless site called smarttrack.org. This site used a modified Microsoft Data Access Components exploit to attempt to install a backdoor and a post logger on to the user's system, Exploit Prevention Labs said.

The post logger targeted about 100 banks by injecting extra html into their website response pages to persuade users to enter extra information. It also logged all user IDs and passwords.

"Because the post logger is a browser helper object, it is part of the end-point of any SSL transaction, and can see everything in plain text, instead of encrypted," said Exploit Prevention Labs chief technical officer Roger Thompson on the company's blog.

He said the exploit highlights a significant issue in that, unlike with organic search results, sponsored results don't display a preview of where the link is leading.

"This means that a user has no clue where she is about to navigate to. Savvy search engine users will know that often these sponsored links will take you through a 'Click-manager' or other advertising service and so seeing your browser pass through smarttrack.org will appear benign enough," he wrote.

Aside from malware infesting their advertising systems and search results, search engines such as Yahoo and Google also have to deal with click fraud, a growing problem where companies try to drive up their competitors' advertising costs by generating fake advertisement click-throughs.

Find your next job with computerworld UK jobs