Welcome to WebmasterWorld Guest from 54.166.48.3

Forum Moderators: buckworks & eWhisper & skibum

Message Too Old, No Replies

Hacked AdWords Account?

     
2:51 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


I just had my AdWords account hacked and it seems campaigns were setup with redirects pointing to places like orbitz.com and business.com that try to install some activex remote desktop program.

Is this widespread or a few isolated cases? Pay close attention to your accounts, this started in my account since yesterday!

3:59 pm on Apr 24, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member tropical_island is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 16, 2002
posts:2744
votes: 0


Can you explain further.

Did someone break your password and actually change your account?

4:02 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


The password wasn't changed as I was able to login and see some new campaigns setup & running since yesterday.

I didn't setup these accounts and got emails stating some ads weren't approved by Google.

I looked in the credit card billing info area and noticed someone elses credit card info, name and address.

[edited by: GregOne at 4:05 pm (utc) on April 24, 2007]

4:06 pm on Apr 24, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member tropical_island is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 16, 2002
posts:2744
votes: 0


WOW, that's scary.

I assume you reported this to AW immediately.

4:17 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


Yes, even though it's difficult to call anyone at Google about AdWords.

The funny part is on my desktop I can't access the subdomain adwords.google.com, my comp is probably infected with something nasty.

I'm trying to get rid of that activex remotedesktop installation. Not sure if I did.

4:22 pm on Apr 24, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:12928
votes: 198


If you're on a PC, take a look at the contents of this file, and see if it's been overwritten to block out AdWords:

c:\windows\system32\drivers\etc\hosts

5:15 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


Gonna check now ... thanks for all your help!
5:17 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0



127.0.0.1 localhost

127.0.0.1 adwords.google.com

crap! it's there! they somehow blocked it :(

5:18 pm on Apr 24, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 28, 2002
posts:994
votes: 2


yep...well just remove the line pertaining to adwords and you'll at least be able to get to the adwords subdomain for now.

You'll definitely want to do some "housecleaning" in your computer though.

5:22 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


House cleaning isn't finding anything, I'm behind 2 firewalls and have Mcafee going with active shield going. I'm running hitman pro as we speak ... this is not good.
6:06 pm on Apr 24, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 28, 2002
posts:994
votes: 2


unfortunately, while Mcafee is decent, it still doesn't spot everything and when it comes to spyware there are SO many different variations, there isn't one single program that can find them all.

IF you know that your system was compromised, I would be inclined to do a format/reinstall. It really is the only way to know for sure you got it all. It can be a complete pain, but so many hacks are so invasive you may never completely get rid of it and even if you do, you won't necessarily know.

I keep an image of a fresh install with all my needed programs already installed for just this reason. I can wipe everything and be back up and running in about 15 minutes.

6:43 pm on Apr 24, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Try Sophos's free rootkit remover.

It's possible your PC was rooted, and a program installed to send your AdWords account info to persons unknown. I wouldn't assert anything this "paranoid-sounding" except for the fact that the entry in your hosts file indicates a specific interest in AdWords.

Report anything else you find to AdWords.

This sounds very serious, and I suspect G will take it seriously.

Hopefully, you're not the first wave of a flood of compromised accounts...

Jim

6:54 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


I doubt it, this seems very complex and well thoughtout. I am probably the first wave hit, hopefully they spot trends in these compromised accounts and put an end to it quickly.
7:05 pm on Apr 24, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:12928
votes: 198


I don't suppose you noted the modification date and time on the hosts file, before you fixed it? Might give you a clue as to when it happened, and what all might have been going on at the time.
7:43 pm on Apr 24, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


It was 7:30am EST, but then I paused the account campaigns & changed the password. I logged in a bit later through another comp, because I couldn't access adwords through my main comp and noticed the campaigns were active again.
7:51 pm on Apr 24, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member adwordsadvisor is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 9, 2003
posts:4799
votes: 0


...hopefully they spot trends in these compromised accounts...

Along these very lines, GregOne, please take a look in your sticky mail for a message I sent you earlier. ;)

AWA

8:24 pm on Apr 24, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:12928
votes: 198


You also should maybe take a look at your account changes history in your AdWords account, to figure out exactly what was done.
8:38 pm on Apr 24, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


AWA, also keep a lookout for reports of phony AdWords e-mails. It's possible that a rootkit could have been installed when an advertiser visited a phishing site...

Jim

12:24 pm on Apr 25, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member essex_boy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 19, 2003
posts:3177
votes: 3


I had a situation where by someone was running my ads after id switched them off on a dead site.

Ran up a bill of 350+ - All I got from google was a canned response.

12:26 pm on Apr 25, 2007 (gmt 0)

Full Member

10+ Year Member

joined:July 8, 2005
posts:348
votes: 0


If you can figure out how you got this problem in the first place can you let us all know.
1:33 pm on Apr 25, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 26, 2007
posts:13
votes: 0


GregOne,

From the sounding here it appears to me to have been done through activeX code on Internet Explorer. I am guessing you use IE, I would personally format reinstall to get rid of all the bad code and then get firefox.

www.getfirefox.com

Plus change Adwords password and contact your credit card company as they could have those details as well.

Have fun!

2:30 pm on Apr 25, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3532
votes: 15


Gregone,
What I don't understand is why would they set up another credit card and info why not just use yours.

Check the information on the credit card and see it it was legit..

very strange to say the least

2:38 pm on Apr 25, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 6, 2005
posts:670
votes: 0


Someone gets their computer compromised, and it makes the homepage of WebmasterWorld?

Why is this news?

2:47 pm on Apr 25, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9687
votes: 0


It's news if it's an indicator of a campaign, apparently fairly sophisticated, to hijack Adwords accounts.
2:47 pm on Apr 25, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 19, 2007
posts:24
votes: 0


Because the ads it sets up point to links that redirect and in the middle of redirecting try to load an activex component, it spreads.

It sets up adgroups and uses common keywords such as business and orbitz, then tries to load the activex component or somehow does, on other computers.

It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account.

It's sophisticated to say the least.

[edited by: GregOne at 2:49 pm (utc) on April 25, 2007]

2:50 pm on Apr 25, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 26, 2005
posts:3041
votes: 0


Why is this news?

It's news because of the targeting of the user's Adwords account, and the possibility of this being an automated attack. It could be the first of many, and so it's particularly important for Adwords users to be vigilent at this time.

3:36 pm on Apr 25, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:June 17, 2003
posts:96
votes: 0


Its also news because I am confirming a second case of an Adwords account hacked.
3:54 pm on Apr 25, 2007 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:12928
votes: 198


Sorry to hear it - did it follow the same general idea as the first one reported? i.e. mysterious new campaigns showing up, overwritten host file?
5:30 pm on Apr 25, 2007 (gmt 0)

New User

10+ Year Member

joined:Dec 2, 2004
posts:30
votes: 0


I had a campaign paused.
Or it was me? :))
Anyway...
5:52 pm on Apr 25, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:June 17, 2003
posts:96
votes: 0


It does not appear to be the same. We're still determining if a PC was compromised.

The campaign was set up to help Content Network accounts as that was turned on and the daily budget was increased to a number that would have produced a 7 figure Monthly payout.

This 53 message thread spans 2 pages: 53