Robin Hood type virus targeting AdSense/AdWords?

Forum Moderators: martinibuster

Message Too Old, No Replies

Robin Hood type virus targeting AdSense/AdWords?

Has anyone else seen this yet?

justageek

3:30 pm on Nov 16, 2006 (gmt 0)

Although it targets both AdWords and AdSense I figure most AdSense people would see it before AdWords. So has anyone here seen it in action besides me?

I'm not sure how I got it but the only thing it does that I can tell is change the links on AdSense and AdWords ads so the user clicks directly to the advertisers site. It looks like it may be using the &adurl variable in the links so you go directly where the advertiser intended you to go anyway.

Surely I'm not the only one who has been infected. It looks like I got it a few days ago and no matter what advertisement I click on I bypass the Google cash register. Good for the advertiser. Bad for Google and its publishers.

JAG

trannack

3:32 pm on Nov 16, 2006 (gmt 0)

I'm not sure i understand. Also - are you clicking on your own ads - or are you seeing this from somewhere els?

shorebreak

3:43 pm on Nov 16, 2006 (gmt 0)

Perhaps if you provide some more details our engineering team could look into it on our end.

-Shorebreak

justageek

3:53 pm on Nov 16, 2006 (gmt 0)

I'm not clicking on my ads. It is happening on every AdSense/AdWords ad I click on.

For example - I go to Google and search for 'travel' and I get the AdWords results back. For me the first one I see goes to www.*****.com. If I click the advertisement I should go to Google and get redirected to the advertisers site after Google registers the click. But, what is happening now, is I am going directly to the advertisers site as specified in the &adurl variable.

I found this by accident because I use PHP and often I watch my data stream to debug and as I was going through a log of mine I noticed no redirects were happening for AdSense or AdWords. This may be why I can't find anything about it anywhere on the Internet? Most people would never know it is happening to them.

JAG

justageek

5:36 pm on Nov 16, 2006 (gmt 0)

Perhaps if you provide some more details our engineering team could look into it on our end.

What team and was my post clear enough Shorebreak?

JAG

Leonard0

6:41 pm on Nov 16, 2006 (gmt 0)

Wouldn't it also be possible for the virus to change the publisher's ID and get click revenue sent to the virus creator's Adsense account?

That would be an attractive scheme for the low-life on the web.

justageek

6:51 pm on Nov 16, 2006 (gmt 0)

Hmm. I don't know if you can change the id but I did change the &adurl value just to see what would happen through a Google redirect and I'll be darned if Google didn't send me off to the new URL. I think there may be a bit of a bug in the Google system to even allow such a thing to happen.

So - has anyone else seen this on their machines yet?

JAG

koan

8:49 pm on Nov 16, 2006 (gmt 0)

I doubt anything that steals from the poor to give to the rich should be called "Robin Hood" type. It sounds more like a republican type ;)

justageek

10:17 pm on Nov 16, 2006 (gmt 0)

Hmm. I'm thinking that Robin Hood is still a good name until McAfee or someone names it. If it stops Google from getting ninety some percent of its revenue then it also means that all the little guys spending on AdWords would be getting a break as well. AdSense folks would be the most affected as an individual.

JAG

jomaxx

10:23 pm on Nov 16, 2006 (gmt 0)

Seems like the first step would be to run every available spyware checker to see what you're infected with.

If that doesn't do any good, uninstall anything that looks dodgy and then do a ctrl-alt-del to see if any unexpected processes are running.

justageek

12:16 am on Nov 17, 2006 (gmt 0)

Thanks Jomaxx,

Nothing has found it so I guess I'll just restore back to last week. I'm just curious as to how I got it, where it came from, if anyone else has seen it and how much revenue Google has lost or will lose because of it?

JAG

jomaxx

7:19 am on Nov 17, 2006 (gmt 0)

Okay, well I hate to sound skeptical but that's my natural position on everything: A specially-written virus/spyware infection that allows AdSense ads to be displayed but bypasses the click-tracking element sounds farfetched, to say the least. I'd have to see some corroborating evidence, or at least a specific identification and description of the mechanism that causes this to happen, before I'd be willing to admit it exists.

I'm not trying to imply you're lying or even that you're mistaken, but I personally can't accept something like this based on one vague report. Sorry, nothing personal.

jomaxx

7:31 am on Nov 17, 2006 (gmt 0)

...I feel so guilty saying that. I mean, you're just sharing something you've observed.

I guess my point is that you yourself don't even know why you saw what you saw. The virus thing is really just a hypothesis. Anyway time will tell.

walrus

7:34 am on Nov 17, 2006 (gmt 0)

There was a post about a group of turks recently, not sure where it is.

Fuzzyfish1000

10:11 am on Nov 17, 2006 (gmt 0)

?!?! I'm lost. Turks?! eh?

I can perfectly believe that a virus of that description would exist... It would only take someone who was a bit annoyed at Google to sit down and code something a bit clever. All it would need to do would be to sit on the TCP layer, and intercept http traffic. Adsense code is pretty much always in the same layout, so it would be relatively easy to pick up. An alternative (and probably more likely) method would be an active-x plug-in that scanned the page for the adsense javascript and replaced it. Might be worth checking your active-x installed objects (in IE - Tools, Internet Options, Settings, View Objects), or use Microsoft Anti-spyware's system explorer.

justageek

4:11 pm on Nov 17, 2006 (gmt 0)

No worries on the earlier post Jomaxx :-) I'll try to backtrack where I went and what I downloaded and if I can isolate it I'll post where it came from. I restored to a previous point and I no longer see what I was seeing but I had to go back about a month though to get rid of it.

I think Fuzzyfish1000 has it right though. It acted something like a scumware contextual program but instead of popups and such it just changed the ad links and since Google uses the same scheme all the time it would always change them.

What troubles me the most is that if you change the &adurl variable to whatever URL you want then Google will redirect you there. That means that in theory this could be used in a very bad way where instead of sending the user to the advertiser as I saw the user could be sent anywhere the scumware wants the user to go and Google would do the redirect for them.

I also wonder who would get charged for the click? I'm hoping that Google is smart enough to realize the &adurl variable does not match but I don't know if that is the case since Google does the redirect as if all is OK :-/

JAG

bumpski

4:08 pm on Nov 18, 2006 (gmt 0)

JAG

Did you write Adsense directly about this?

Seems pretty important!

Plus my income and clicks are dropping off, maybe the virus you detected is spreading?

justageek

4:43 pm on Nov 18, 2006 (gmt 0)

Bumpski - I have not written them about it and I cannot confirm anyone else has seen it so I don't want to false alarm the Google folks. I got rid of it on my machine and if I can 'catch' it again and see where it came from exactly then I have something concrete to show them :-/

JAG

gregbo

3:50 am on Nov 19, 2006 (gmt 0)

I also wonder who would get charged for the click? I'm hoping that Google is smart enough to realize the &adurl variable does not match but I don't know if that is the case since Google does the redirect as if all is OK :-/

Good question for AWA, perhaps. It's possible that the advertiser is charged if all the other account information coming over in the click is left intact. If G did an extra check on the &adurl variable of every click to check that it matches what the account says it should be redirected to, it would slow down its ad processing.