homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google AdWords
Forum Library, Charter, Moderators: buckworks & eWhisper & skibum

Google AdWords Forum

This 53 message thread spans 2 pages: 53 ( [1] 2 > >     
Hacked AdWords Account?

 2:51 pm on Apr 24, 2007 (gmt 0)

I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program.

Is this widespread or a few isolated cases? Pay close attention to your accounts, this started in my account since yesterday!


Tropical Island

 3:59 pm on Apr 24, 2007 (gmt 0)

Can you explain further.

Did someone break your password and actually change your account?


 4:02 pm on Apr 24, 2007 (gmt 0)

The password wasn't changed as I was able to login and see some new campaigns setup & running since yesterday.

I didn't setup these accounts and got emails stating some ads weren't approved by Google.

I looked in the credit card billing info area and noticed someone elses credit card info, name and address.

[edited by: GregOne at 4:05 pm (utc) on April 24, 2007]

Tropical Island

 4:06 pm on Apr 24, 2007 (gmt 0)

WOW, that's scary.

I assume you reported this to AW immediately.


 4:17 pm on Apr 24, 2007 (gmt 0)

Yes, even though it's difficult to call anyone at Google about AdWords.

The funny part is on my desktop I can't access the subdomain adwords.google.com, my comp is probably infected with something nasty.

I'm trying to get rid of that activex remotedesktop installation. Not sure if I did.


 4:22 pm on Apr 24, 2007 (gmt 0)

If you're on a PC, take a look at the contents of this file, and see if it's been overwritten to block out AdWords:



 5:15 pm on Apr 24, 2007 (gmt 0)

Gonna check now ... thanks for all your help!


 5:17 pm on Apr 24, 2007 (gmt 0) localhost adwords.google.com

crap! it's there! they somehow blocked it :(


 5:18 pm on Apr 24, 2007 (gmt 0)

yep...well just remove the line pertaining to adwords and you'll at least be able to get to the adwords subdomain for now.

You'll definitely want to do some "housecleaning" in your computer though.


 5:22 pm on Apr 24, 2007 (gmt 0)

House cleaning isn't finding anything, I'm behind 2 firewalls and have Mcafee going with active shield going. I'm running hitman pro as we speak ... this is not good.


 6:06 pm on Apr 24, 2007 (gmt 0)

unfortunately, while Mcafee is decent, it still doesn't spot everything and when it comes to spyware there are SO many different variations, there isn't one single program that can find them all.

IF you know that your system was compromised, I would be inclined to do a format/reinstall. It really is the only way to know for sure you got it all. It can be a complete pain, but so many hacks are so invasive you may never completely get rid of it and even if you do, you won't necessarily know.

I keep an image of a fresh install with all my needed programs already installed for just this reason. I can wipe everything and be back up and running in about 15 minutes.


 6:43 pm on Apr 24, 2007 (gmt 0)

Try Sophos's free rootkit remover.

It's possible your PC was rooted, and a program installed to send your AdWords account info to persons unknown. I wouldn't assert anything this "paranoid-sounding" except for the fact that the entry in your hosts file indicates a specific interest in AdWords.

Report anything else you find to AdWords.

This sounds very serious, and I suspect G will take it seriously.

Hopefully, you're not the first wave of a flood of compromised accounts...



 6:54 pm on Apr 24, 2007 (gmt 0)

I doubt it, this seems very complex and well thoughtout. I am probably the first wave hit, hopefully they spot trends in these compromised accounts and put an end to it quickly.


 7:05 pm on Apr 24, 2007 (gmt 0)

I don't suppose you noted the modification date and time on the hosts file, before you fixed it? Might give you a clue as to when it happened, and what all might have been going on at the time.


 7:43 pm on Apr 24, 2007 (gmt 0)

It was 7:30am EST, but then I paused the account campaigns & changed the password. I logged in a bit later through another comp, because I couldn't access adwords through my main comp and noticed the campaigns were active again.


 7:51 pm on Apr 24, 2007 (gmt 0)

...hopefully they spot trends in these compromised accounts...

Along these very lines, GregOne, please take a look in your sticky mail for a message I sent you earlier. ;)



 8:24 pm on Apr 24, 2007 (gmt 0)

You also should maybe take a look at your account changes history in your AdWords account, to figure out exactly what was done.


 8:38 pm on Apr 24, 2007 (gmt 0)

AWA, also keep a lookout for reports of phony AdWords e-mails. It's possible that a rootkit could have been installed when an advertiser visited a phishing site...



 12:24 pm on Apr 25, 2007 (gmt 0)

I had a situation where by someone was running my ads after id switched them off on a dead site.

Ran up a bill of 350+ - All I got from google was a canned response.


 12:26 pm on Apr 25, 2007 (gmt 0)

If you can figure out how you got this problem in the first place can you let us all know.


 1:33 pm on Apr 25, 2007 (gmt 0)


From the sounding here it appears to me to have been done through activeX code on Internet Explorer. I am guessing you use IE, I would personally format reinstall to get rid of all the bad code and then get firefox.


Plus change Adwords password and contact your credit card company as they could have those details as well.

Have fun!


 2:30 pm on Apr 25, 2007 (gmt 0)

What I don't understand is why would they set up another credit card and info why not just use yours.

Check the information on the credit card and see it it was legit..

very strange to say the least


 2:38 pm on Apr 25, 2007 (gmt 0)

Someone gets their computer compromised, and it makes the homepage of WebmasterWorld?

Why is this news?


 2:47 pm on Apr 25, 2007 (gmt 0)

It's news if it's an indicator of a campaign, apparently fairly sophisticated, to hijack Adwords accounts.


 2:47 pm on Apr 25, 2007 (gmt 0)

Because the ads it sets up point to links that redirect and in the middle of redirecting try to load an activex component, it spreads.

It sets up adgroups and uses common keywords such as business and orbitz, then tries to load the activex component or somehow does, on other computers.

It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account.

It's sophisticated to say the least.

[edited by: GregOne at 2:49 pm (utc) on April 25, 2007]


 2:50 pm on Apr 25, 2007 (gmt 0)

Why is this news?

It's news because of the targeting of the user's Adwords account, and the possibility of this being an automated attack. It could be the first of many, and so it's particularly important for Adwords users to be vigilent at this time.


 3:36 pm on Apr 25, 2007 (gmt 0)

Its also news because I am confirming a second case of an Adwords account hacked.


 3:54 pm on Apr 25, 2007 (gmt 0)

Sorry to hear it - did it follow the same general idea as the first one reported? i.e. mysterious new campaigns showing up, overwritten host file?


 5:30 pm on Apr 25, 2007 (gmt 0)

I had a campaign paused.
Or it was me? :))


 5:52 pm on Apr 25, 2007 (gmt 0)

It does not appear to be the same. We're still determining if a PC was compromised.

The campaign was set up to help Content Network accounts as that was turned on and the daily budget was increased to a number that would have produced a 7 figure Monthly payout.

This 53 message thread spans 2 pages: 53 ( [1] 2 > >
Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google AdWords
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved