homepage Welcome to WebmasterWorld Guest from 54.243.17.133
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google AdWords
Forum Library, Charter, Moderators: buckworks & eWhisper & skibum

Google AdWords Forum

This 53 message thread spans 2 pages: < < 53 ( 1 [2]     
Hacked AdWords Account?
GregOne




msg:3320023
 2:51 pm on Apr 24, 2007 (gmt 0)

I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program.

Is this widespread or a few isolated cases? Pay close attention to your accounts, this started in my account since yesterday!

 

kartiksh




msg:3321676
 8:15 pm on Apr 25, 2007 (gmt 0)

It does not appear to be the same. We're still determining if a PC was compromised.

The campaign was set up to help Content Network accounts as that was turned on and the daily budget was increased to a number that would have produced a 7 figure Monthly payout.

Very scary and serious! Is there a word of caution and a list to lookout for from AWA here after the initial investigation or they would prefer a standard aleart to all adwords advertiser via their set channels?

i think the second.

outland88




msg:3321854
 9:49 pm on Apr 25, 2007 (gmt 0)

>Yes, even though it's difficult to call anyone at Google about AdWords.<

This shouldn't be the situation on any account. I speculate though a large amount of Adwords is handled out of the US. I also don't understand why most companies comply with the federal government's request to list a phone number on credit card statements but Google lists only an e-mail address. Google must save a mint serving up pitiful customer service. You should be able to contact Google immediately in such situations, especially by phone.

GregOne




msg:3321858
 10:02 pm on Apr 25, 2007 (gmt 0)

There should at least be a 24/7 monitored email address at AdWords to report fraud incidents.

[edited by: GregOne at 10:32 pm (utc) on April 25, 2007]

jtara




msg:3321934
 12:33 am on Apr 26, 2007 (gmt 0)

Dunno if this is related, but it appears that it could be:

Virus Writers Taint Google Ad Links

[blog.washingtonpost.com...]

There's currently a slashdot article discussing this issue:

[it.slashdot.org...]

From the news report and the blog referenced within (which I haven't linked from here, as I wasn't sure it was OK to link to a blog - particularly one belonging to a company which makes a particular exploit scanner...) it appears the exploit is being injected by an intermediary tracking site.

If you look at the example screenshots shown on the blog, this certainly does look like it corresponds to the discovery found here by Adwords customers. The specific exploit found is MDAC ActiveX code execution.

The exploit referenced in the blog targets, however, about 100 specific banks. I suppose that the same exploit might have been also used to capture the very Adwords accounts being used to further spread the exploit.

It appears that perhaps one shoe dropped in the blog, Wash. Post article, and slashdot. The other shoe (the hijacking of Adwords customer accounts in order to accomplish this) has dropped here.

Both the article and the blog find fault with not just the injection of the virus, but the fact that Google fools the browser into displaying the eventual landing site, rather than the tracking site.

Of course, displaying the tracking site would wreck chaos on most PPC advertising, confusing users and making them unlikely to click on PCC links. On the other hand, wide disclosure of this attack in the press (which I imagine is likely if it isn't stopped pronto) is likely to lead to the same result.

GregOne




msg:3321946
 12:56 am on Apr 26, 2007 (gmt 0)

Yes, this is exactly how it happened, a redirect pointing to trackback.org that somehow installed an activex component without approval.

[edited by: GregOne at 12:58 am (utc) on April 26, 2007]

MatthewHSE




msg:3322016
 3:13 am on Apr 26, 2007 (gmt 0)

Am I understanding this properly when I assume that computers can get infected with this simply by clicking an AdSense ad that belongs to one of these hijacked accounts?

If so, this could be even more serious, as a backdoor would almost certainly be installed, which could lead to an enormous new botnet. (And could that be the whole intention here in the first place?)

jtara




msg:3322028
 3:26 am on Apr 26, 2007 (gmt 0)

Am I understanding this properly when I assume that computers can get infected with this simply by clicking an AdSense ad that belongs to one of these hijacked accounts?

Yes.

Note that it doesn't have to be an Adsense ad. It could be an ad appearing in Google search, which would be more highly trusted by consumers than an Adsense ad appearing on a website.

The exploit appears to target those using an UNPATCHED MDAC component. This is addressed by Microsoft Security Bulletin MS06-014:

[microsoft.com...]

Note that the security bulletin is a year old.

Here's an excerpt from the above bulletin:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
Under certain conditions, the RDS.Dataspace ActiveX control fails to ensure that it interacts safely when it is hosted on a Web page.

What makes this attack particularly scary is that it is using a vector - Adwords - which is highly trusted by consumers. Further, they appear to be targeting ads for highly trusted websites. You'd usually expect this sort of attack when accessing sketchy websites.

jtara




msg:3322055
 4:02 am on Apr 26, 2007 (gmt 0)

Yes, this is exactly how it happened, a redirect pointing to trackback.org that somehow installed an activex component without approval.

There may be multiple tracking services being used. Or the exploit you got may be completely unrelated to the "end-user" exploit reported on elsewhere. Or this thing may now be in the hands of multiple exploiters...

The above looks like a legitimate tracking service. I didn't examine their website enough to see if there is some opportunity for tracking customers to insert this exploit in some way. What would be really bad is if a legitimate tracking service has been hacked, and now this is being injected for all customer accounts.

The article I wrote about references smarttrack.org. There is (at least currently) no website configured on that URL (just a default home page for some control panel software).

That domain is registered in New Zealand. The IP address is owned by a company located in Panama. The IP address geolocates to Russia.

Not good.

ispy




msg:3322076
 4:23 am on Apr 26, 2007 (gmt 0)

You noticed someone elses credit card info?

Did they have the decency to pay for their own hack?

piconsulting




msg:3322162
 6:56 am on Apr 26, 2007 (gmt 0)

ispy - I'm guessing they used a stolen card to ensure that the adwords account holder owner didn't get suspicious of the increased card activity.

theviruz




msg:3322253
 10:04 am on Apr 26, 2007 (gmt 0)

I guess it is the same problem as the one reported by the Washington Post.

[blog.washingtonpost.com...]

However, if the attackers publish their credit card information, although I bet it was stolen too, isn't it possible to find them?

GregOne




msg:3322381
 12:21 pm on Apr 26, 2007 (gmt 0)

My credit card info on AdWords was replaced with two diffirent cards, in the primary and backup entries. The only way I found out my account was hit, I got an email saying some ads weren't approved for AdWords.

webdoctor




msg:3322411
 12:58 pm on Apr 26, 2007 (gmt 0)

if the attackers publish their credit card information, although I bet it was stolen too, isn't it possible to find them

If the credit card info is stolen, how would one go about finding the culprit?

marketingmagic




msg:3322460
 2:05 pm on Apr 26, 2007 (gmt 0)

jwolthuis - and you don't think it's news? wait till it's your computer and adwords account and I bet you'd think it's news then.

GregOne




msg:3322490
 3:02 pm on Apr 26, 2007 (gmt 0)

Just punch in 'adwords' on news.google.com, this malware redirect account info grabber was first reported on April 10th with the same fasttrack.org site used to serve the redirect.

I got hit on the 23rd of April, you'd think Google would have put a freeze on any links pointing to fasttrack.org.

sitetruth




msg:3322731
 5:32 pm on Apr 26, 2007 (gmt 0)

There's now someone selling a security product to check links on Google AdWords. "***** Lite integrates with major search engines to check search results for a variety of online threats before you click."
"Don't let your PC become a zombie".

That particular product is rather primitive, but someone else may do better. McAfee has had an offering for about a year now, but nobody paid much attention. We're now entering the era of search ad security products.

jtara




msg:3322735
 5:40 pm on Apr 26, 2007 (gmt 0)

We're now entering the era of search ad security products.

If search ad security products become a requirement, I think consumers will opt for search ad REMOVAL products...

jwolthuis




msg:3323203
 12:22 am on Apr 27, 2007 (gmt 0)

This thread has taken some odd twists.

Are we talking about (a) advertisers who have hacked AdWords accounts, or (b) consumers that click an ad that installs malware? These are very different subjects.

I count *one person* who was hacked, where his hosts file and credit card numbers were changed. This hardly qualifies as a widespread attack. More like careless passwords, and a script kiddie with too much spare time.

Rehan




msg:3323387
 3:46 am on Apr 27, 2007 (gmt 0)

Are we talking about (a) advertisers who have hacked AdWords accounts, or (b) consumers that click an ad that installs malware? These are very different subjects.

The impression I get is that the malware steals AdWords passwords (and perhaps other types of passwords as well)...so it's a bit of both (a) and (b).

BTW, tonight's Inside AdWords blog post addresses this issue briefly; it includes:

"On Tuesday, April 24th, Google identified and canceled AdWords accounts displaying ads that re-directed users to malicious sites. These sites attempted to install malware onto users’ computers. This is an issue we’ve taken very seriously and will continue to monitor. We are also evaluating our systems to ensure that the appropriate measures are in place to block future attempts."

[edited by: Rehan at 3:48 am (utc) on April 27, 2007]

AdWordsAdvisor




msg:3323414
 4:34 am on Apr 27, 2007 (gmt 0)

Just a quick post, while in the midst of working on the Advertiser Feedback Report...

BTW, tonight's Inside AdWords blog post addresses this issue briefly...

Thanks very much for mentioning that Rehan. ;) I wanted to point out one page that's linked-to in that post, which is worth noting - since the subject of being able to report issues such as this was mentioned earlier in this thread:

Google Security and Product Safety
[google.com...]

Excerpting briefly from that page:

Reporting Security Issues
If you are a Google user and have a security issue to report regarding your personal Google account, please visit our contact page. This includes password problems, login issues, spam reports, suspected fraud and account abuse issues.

If you have discovered a vulnerability in a Google product or have a security incident to report, please email security@google.com. Please include a detailed summary of the issue including the name of the product (e.g., Gmail) and the nature of the issue you believe you've discovered. Be sure to include an email address where we can reach you in case we need more information...

BTW, the 'contact page' mentioned in that first excerpted paragraph is linked in the actual document, and goes here:

Security Issues
[google.com...]

AWA

<edit> fixed url </edit>

[edited by: AdWordsAdvisor at 4:42 am (utc) on April 27, 2007]

sitetruth




msg:3324141
 5:59 pm on Apr 27, 2007 (gmt 0)

Are we talking about (a) advertisers who have hacked AdWords accounts, or (b) consumers that click an ad that installs malware? These are very different subjects.

Not any more. This new attack integrates the two.

The life cycle of this thing apparently works like this:

1. User clicks on AdWords or Google advertising result.
2. An intermediate link along a chain of redirects to the "landing page" for the ad installs malware using an exploit of Microsoft Internet Explorer.
3. The malware runs on the user's machine, collects credit card info and such, and sends it somewhere.
4. The malware also attempts to find out if the user's machine has a Google AdWords account.
5. If the user's machine has a Google AdWords account, the malware connects to Google AdWords and buys more AdWords.
6. The AdWords the malware buys use intermediate links to sites that install the attack.
1. User clicks on AdWords or Google advertising result...
...
Wash, rinse, repeat.

These attacks are getting smart enough to go into business for themselves.

GregOne




msg:3324515
 1:58 am on Apr 28, 2007 (gmt 0)

That's exactly how it worked, I was fully updated & patched and behind two firewalls. I didn't accept any activex install, either.

Tropical Island




msg:3324754
 11:31 am on Apr 28, 2007 (gmt 0)

...installs malware using an exploit of Microsoft Internet Explorer.

I suppose the lesson here is never use IE.

This 53 message thread spans 2 pages: < < 53 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdWords
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved