Friday, April 27, 2007

PPC issue to keep track of: malicious redirects

It would obviously be a Very Bad Thing if large numbers of consumers ever decided it was a risky proposition to click on paid search ads. It appears, however, that a very sophisticated entity(s) is succeeding, through URL redirects, to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites. Washington Post's blog covered this yesterday, but what's alarming for me is hearing several first-hand reports in the last two days of advertisers' AdWords accounts being hacked into to put the damaging redirects in Google sponsored links in the first place.

This is all ultimately made possible by the fact that Google in its sponsored links shows the display URL for the ad rather than the actual URL the consumer is taken to upon clicking on the ad. Of course, G must do this because the alternative - showing a lengthy, non-sensical tracking URL - would result in far lower CTR, and perhaps user revulsion over PPC in general.

The process is:
1) Bad guy hacks into someone's AdWords account
2) Bad guy changes credit card billing information so that [sometimes very large] charges incurred in malware campaigns don't alert the advertiser.
3) Bad guy creates new ad group that looks like other of advertiser's ads but which redirects searchers to a site that exploits a known Windows security hole to install malware on the computer without the searcher ever actually seeing the redirect site. The searcher is still delivered to the site they were trying to get to, but with a short, invisible redirect.
4) Malware observes the computer it's now on and captures banking [and potentially other] info

My guess is the hackers recognize it's not in their best interests to do this on a massive scale, and so this will simply low-grade simmer while driving increased usage of security toolbars like McAfee's SiteAdvisor.


Blogger David Kalen said...

Your blog arouses a lot of curiosity.

3:54 AM


Post a Comment

<< Home

Google Analytics Alternative