homepage Welcome to WebmasterWorld Guest from 54.167.173.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google AdWords
Forum Library, Charter, Moderators: buckworks & eWhisper & skibum

Google AdWords Forum

This 53 message thread spans 2 pages: 53 ( [1] 2 > >     
Hacked AdWords Account?
GregOne




msg:3320023
 2:51 pm on Apr 24, 2007 (gmt 0)

I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program.

Is this widespread or a few isolated cases? Pay close attention to your accounts, this started in my account since yesterday!

 

Tropical Island




msg:3320141
 3:59 pm on Apr 24, 2007 (gmt 0)

Can you explain further.

Did someone break your password and actually change your account?

GregOne




msg:3320151
 4:02 pm on Apr 24, 2007 (gmt 0)

The password wasn't changed as I was able to login and see some new campaigns setup & running since yesterday.

I didn't setup these accounts and got emails stating some ads weren't approved by Google.

I looked in the credit card billing info area and noticed someone elses credit card info, name and address.

[edited by: GregOne at 4:05 pm (utc) on April 24, 2007]

Tropical Island




msg:3320159
 4:06 pm on Apr 24, 2007 (gmt 0)

WOW, that's scary.

I assume you reported this to AW immediately.

GregOne




msg:3320180
 4:17 pm on Apr 24, 2007 (gmt 0)

Yes, even though it's difficult to call anyone at Google about AdWords.

The funny part is on my desktop I can't access the subdomain adwords.google.com, my comp is probably infected with something nasty.

I'm trying to get rid of that activex remotedesktop installation. Not sure if I did.

netmeg




msg:3320189
 4:22 pm on Apr 24, 2007 (gmt 0)

If you're on a PC, take a look at the contents of this file, and see if it's been overwritten to block out AdWords:

c:\windows\system32\drivers\etc\hosts

GregOne




msg:3320245
 5:15 pm on Apr 24, 2007 (gmt 0)

Gonna check now ... thanks for all your help!

GregOne




msg:3320246
 5:17 pm on Apr 24, 2007 (gmt 0)


127.0.0.1 localhost

127.0.0.1 adwords.google.com

crap! it's there! they somehow blocked it :(

Philosopher




msg:3320248
 5:18 pm on Apr 24, 2007 (gmt 0)

yep...well just remove the line pertaining to adwords and you'll at least be able to get to the adwords subdomain for now.

You'll definitely want to do some "housecleaning" in your computer though.

GregOne




msg:3320255
 5:22 pm on Apr 24, 2007 (gmt 0)

House cleaning isn't finding anything, I'm behind 2 firewalls and have Mcafee going with active shield going. I'm running hitman pro as we speak ... this is not good.

Philosopher




msg:3320304
 6:06 pm on Apr 24, 2007 (gmt 0)

unfortunately, while Mcafee is decent, it still doesn't spot everything and when it comes to spyware there are SO many different variations, there isn't one single program that can find them all.

IF you know that your system was compromised, I would be inclined to do a format/reinstall. It really is the only way to know for sure you got it all. It can be a complete pain, but so many hacks are so invasive you may never completely get rid of it and even if you do, you won't necessarily know.

I keep an image of a fresh install with all my needed programs already installed for just this reason. I can wipe everything and be back up and running in about 15 minutes.

jdMorgan




msg:3320371
 6:43 pm on Apr 24, 2007 (gmt 0)

Try Sophos's free rootkit remover.

It's possible your PC was rooted, and a program installed to send your AdWords account info to persons unknown. I wouldn't assert anything this "paranoid-sounding" except for the fact that the entry in your hosts file indicates a specific interest in AdWords.

Report anything else you find to AdWords.

This sounds very serious, and I suspect G will take it seriously.

Hopefully, you're not the first wave of a flood of compromised accounts...

Jim

GregOne




msg:3320396
 6:54 pm on Apr 24, 2007 (gmt 0)

I doubt it, this seems very complex and well thoughtout. I am probably the first wave hit, hopefully they spot trends in these compromised accounts and put an end to it quickly.

netmeg




msg:3320416
 7:05 pm on Apr 24, 2007 (gmt 0)

I don't suppose you noted the modification date and time on the hosts file, before you fixed it? Might give you a clue as to when it happened, and what all might have been going on at the time.

GregOne




msg:3320467
 7:43 pm on Apr 24, 2007 (gmt 0)

It was 7:30am EST, but then I paused the account campaigns & changed the password. I logged in a bit later through another comp, because I couldn't access adwords through my main comp and noticed the campaigns were active again.

AdWordsAdvisor




msg:3320479
 7:51 pm on Apr 24, 2007 (gmt 0)

...hopefully they spot trends in these compromised accounts...

Along these very lines, GregOne, please take a look in your sticky mail for a message I sent you earlier. ;)

AWA

netmeg




msg:3320510
 8:24 pm on Apr 24, 2007 (gmt 0)

You also should maybe take a look at your account changes history in your AdWords account, to figure out exactly what was done.

jdMorgan




msg:3320530
 8:38 pm on Apr 24, 2007 (gmt 0)

AWA, also keep a lookout for reports of phony AdWords e-mails. It's possible that a rootkit could have been installed when an advertiser visited a phishing site...

Jim

Essex_boy




msg:3321137
 12:24 pm on Apr 25, 2007 (gmt 0)

I had a situation where by someone was running my ads after id switched them off on a dead site.

Ran up a bill of 350+ - All I got from google was a canned response.

Angelis




msg:3321142
 12:26 pm on Apr 25, 2007 (gmt 0)

If you can figure out how you got this problem in the first place can you let us all know.

offender




msg:3321235
 1:33 pm on Apr 25, 2007 (gmt 0)

GregOne,

From the sounding here it appears to me to have been done through activeX code on Internet Explorer. I am guessing you use IE, I would personally format reinstall to get rid of all the bad code and then get firefox.

www.getfirefox.com

Plus change Adwords password and contact your credit card company as they could have those details as well.

Have fun!

bwnbwn




msg:3321280
 2:30 pm on Apr 25, 2007 (gmt 0)

Gregone,
What I don't understand is why would they set up another credit card and info why not just use yours.

Check the information on the credit card and see it it was legit..

very strange to say the least

jwolthuis




msg:3321286
 2:38 pm on Apr 25, 2007 (gmt 0)

Someone gets their computer compromised, and it makes the homepage of WebmasterWorld?

Why is this news?

rogerd




msg:3321300
 2:47 pm on Apr 25, 2007 (gmt 0)

It's news if it's an indicator of a campaign, apparently fairly sophisticated, to hijack Adwords accounts.

GregOne




msg:3321302
 2:47 pm on Apr 25, 2007 (gmt 0)

Because the ads it sets up point to links that redirect and in the middle of redirecting try to load an activex component, it spreads.

It sets up adgroups and uses common keywords such as business and orbitz, then tries to load the activex component or somehow does, on other computers.

It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account.

It's sophisticated to say the least.

[edited by: GregOne at 2:49 pm (utc) on April 25, 2007]

jtara




msg:3321306
 2:50 pm on Apr 25, 2007 (gmt 0)

Why is this news?

It's news because of the targeting of the user's Adwords account, and the possibility of this being an automated attack. It could be the first of many, and so it's particularly important for Adwords users to be vigilent at this time.

optimist




msg:3321368
 3:36 pm on Apr 25, 2007 (gmt 0)

Its also news because I am confirming a second case of an Adwords account hacked.

netmeg




msg:3321390
 3:54 pm on Apr 25, 2007 (gmt 0)

Sorry to hear it - did it follow the same general idea as the first one reported? i.e. mysterious new campaigns showing up, overwritten host file?

pexcornel




msg:3321491
 5:30 pm on Apr 25, 2007 (gmt 0)

I had a campaign paused.
Or it was me? :))
Anyway...

optimist




msg:3321513
 5:52 pm on Apr 25, 2007 (gmt 0)

It does not appear to be the same. We're still determining if a PC was compromised.

The campaign was set up to help Content Network accounts as that was turned on and the daily budget was increased to a number that would have produced a 7 figure Monthly payout.

This 53 message thread spans 2 pages: 53 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdWords
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved