Can you explain further.

Did someone break your password and actually change your account?

The password wasn't changed as I was able to login and see some new campaigns setup & running since yesterday.

I didn't setup these accounts and got emails stating some ads weren't approved by Google.

I looked in the credit card billing info area and noticed someone elses credit card info, name and address.

[edited by: GregOne at 4:05 pm (utc) on April 24, 2007]

WOW, that's scary.

I assume you reported this to AW immediately.

Yes, even though it's difficult to call anyone at Google about AdWords.

The funny part is on my desktop I can't access the subdomain adwords.google.com, my comp is probably infected with something nasty.

I'm trying to get rid of that activex remotedesktop installation. Not sure if I did.

If you're on a PC, take a look at the contents of this file, and see if it's been overwritten to block out AdWords:

c:\windows\system32\drivers\etc\hosts

Gonna check now ... thanks for all your help!

127.0.0.1 localhost

127.0.0.1 adwords.google.com

crap! it's there! they somehow blocked it :(

yep...well just remove the line pertaining to adwords and you'll at least be able to get to the adwords subdomain for now.

You'll definitely want to do some "housecleaning" in your computer though.

House cleaning isn't finding anything, I'm behind 2 firewalls and have Mcafee going with active shield going. I'm running hitman pro as we speak ... this is not good.

unfortunately, while Mcafee is decent, it still doesn't spot everything and when it comes to spyware there are SO many different variations, there isn't one single program that can find them all.

IF you know that your system was compromised, I would be inclined to do a format/reinstall. It really is the only way to know for sure you got it all. It can be a complete pain, but so many hacks are so invasive you may never completely get rid of it and even if you do, you won't necessarily know.

I keep an image of a fresh install with all my needed programs already installed for just this reason. I can wipe everything and be back up and running in about 15 minutes.

Try Sophos's free rootkit remover.

It's possible your PC was rooted, and a program installed to send your AdWords account info to persons unknown. I wouldn't assert anything this "paranoid-sounding" except for the fact that the entry in your hosts file indicates a specific interest in AdWords.

Report anything else you find to AdWords.

This sounds very serious, and I suspect G will take it seriously.

Hopefully, you're not the first wave of a flood of compromised accounts...

Jim

I doubt it, this seems very complex and well thoughtout. I am probably the first wave hit, hopefully they spot trends in these compromised accounts and put an end to it quickly.

I don't suppose you noted the modification date and time on the hosts file, before you fixed it? Might give you a clue as to when it happened, and what all might have been going on at the time.

It was 7:30am EST, but then I paused the account campaigns & changed the password. I logged in a bit later through another comp, because I couldn't access adwords through my main comp and noticed the campaigns were active again.

...hopefully they spot trends in these compromised accounts...

Along these very lines, GregOne, please take a look in your sticky mail for a message I sent you earlier. ;)

AWA

You also should maybe take a look at your account changes history in your AdWords account, to figure out exactly what was done.

AWA, also keep a lookout for reports of phony AdWords e-mails. It's possible that a rootkit could have been installed when an advertiser visited a phishing site...

Jim

I had a situation where by someone was running my ads after id switched them off on a dead site.

Ran up a bill of £350+ - All I got from google was a canned response.

If you can figure out how you got this problem in the first place can you let us all know.

GregOne,

From the sounding here it appears to me to have been done through activeX code on Internet Explorer. I am guessing you use IE, I would personally format reinstall to get rid of all the bad code and then get firefox.

www.getfirefox.com

Plus change Adwords password and contact your credit card company as they could have those details as well.

Have fun!

Gregone,
What I don't understand is why would they set up another credit card and info why not just use yours.

Check the information on the credit card and see it it was legit..

very strange to say the least

Someone gets their computer compromised, and it makes the homepage of WebmasterWorld?

Why is this news?

It's news if it's an indicator of a campaign, apparently fairly sophisticated, to hijack Adwords accounts.

Because the ads it sets up point to links that redirect and in the middle of redirecting try to load an activex component, it spreads.

It sets up adgroups and uses common keywords such as business and orbitz, then tries to load the activex component or somehow does, on other computers.

It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account.

It's sophisticated to say the least.

[edited by: GregOne at 2:49 pm (utc) on April 25, 2007]

Why is this news?

It's news because of the targeting of the user's Adwords account, and the possibility of this being an automated attack. It could be the first of many, and so it's particularly important for Adwords users to be vigilent at this time.

Its also news because I am confirming a second case of an Adwords account hacked.

Sorry to hear it - did it follow the same general idea as the first one reported? i.e. mysterious new campaigns showing up, overwritten host file?

I had a campaign paused.
Or it was me? :))
Anyway...

It does not appear to be the same. We're still determining if a PC was compromised.

The campaign was set up to help Content Network accounts as that was turned on and the daily budget was increased to a number that would have produced a 7 figure Monthly payout.