ATLANTA -- Researchers at security software developer Exploit Prevention Labs (http://www.explabs.com) have uncovered hard evidence that cybercriminals are using Google AdWords to infect unsuspecting users with malware. Under the guise of ads for legitimate, trusted organizations like The Better Business Bureau (see screen shot at
Roger Thompson, Exploit Prevention Labs' CTO, reported his findings yesterday on his blog at http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html.
Exploit Prevention Labs first learned of this new attack vector April 10 when a user of the company's LinkScanner Pro safe surfing software ran a Google search on the phrase "how to start a business." The top-ranked sponsored search listing appeared to be from AllBusiness.com, a legitimate business, yet the hyperlink actually led to a site that attempted to install a password--stealing keylogger on the user's PC. LinkScanner Pro blocked the threat and automatically reported the discovery back to Exploit Prevention Labs researchers, who launched an immediate investigation.
Thompson's team discovered that, on April 2 or 3, a known-bad organization registered the domain name Smarttracker.org. By April 10, the organization had opened a Google AdWords account and purchased campaigns for various search terms. Although each of the ads displayed a trusted hyperlink, clicking on the link redirected the user to smarttracker.org before sending them on to their intended destination.
Although Google has terminated this particular offending account, the discovery highlights problems facing all sponsored search vendors - how to determine the legitimacy of any individual advertiser, and how to determine whether a redirected link is being used legitimately.