Welcome to WebmasterWorld Guest from 220.127.116.11
Cheeky person paused our campaigns as well.. Caught it within 24 hours and I understand Google will refund charges for fraudulent activity, so no real harm done.
Best tip I've found is that if you go Campaign Management > Tools > My Change History you can see all the changes made to the account. This saved me a lot of time checking each ad in our legitimate campaigns to check the destination url hadn't been changed. Also revealed that he'd turned off all email notification.
Not sure how they got our details, although I'm as sure as I can be that it's not due to malware on a local machine. Don't think it was phished either although I can't be 100% positive. Maybe brute forced, or it got exposed some other way.
Really weird thing was that the destination domain in the fraudulent ads doesn't exist.. can't figure that out for the life of me..
Anyone got any tips for what to do in this situation?
[edited by: engine at 4:02 pm (utc) on Aug. 15, 2008]
When you hover over the link it sends you to log into your account it was something like adwords.google.com.example.com so im pretty sure they are going for it at the moment.
1 tip is to never click on any links via emails and always log into accounts from your bookmarks/favourites lists.
This goes for bank/paypal/ebay or any website that requires a password!
[edited by: jatar_k at 2:46 am (utc) on Aug. 15, 2008]
[edit reason] examplified [/edit]
I wondered how they were paying for the ads, I assumed it was stolen credit cards, but stolen accounts makes even more sense.
We've been getting a lot of the phishing emails that dazz mentions - purports to be an adwords billing problem notification but links to a .cn domain. We'd actually been having some genuine billing problems around the time they started and although before today I would have sworn we hadn't been fooled by it, being realistic that is probably the most likely way for our account details to have leaked.
I think someone (smartcompany?) entered an item about it in this forum previously
Thanks for promoting me from "small" to "smart" netmeg. ;)
Here are the two related posts:
All this is proving all of us that are paranoid were right. There’s one that says that the only good admin is the paranoid one, waiting for his network to go down any minute. This applies here too, 100%.
Why this “blah” talk?
Well, almost every day, for the last two weeks or so, I’ve been sending keywords and ad copies to support. On few occasions, I would get reply with big thanks. Finally, I got the one asking not to send examples anymore as the policy team reviews everything what is in violation.
The reason why I was sending all those is simple: To help and speed up the process so it’s easier to nail those down and finally shut them.
Based on compromised account number, you can see how important this is.
The example as of now is that on keyword “antivirus”, on Google.com (US) I see 4 (four) ads at the same time, with some crazy display URLs. 4 ads of which three are in premium yellow area!
Even worse on Google UK (six), and same on Google Canada, six again.
Now, is the team really on a top of it? If I, as an individual, am able to see them almost at any time during the day, how Google AdWords’ policy team is handling those?
I would take it that those should not run for more than 3 minutes, whenever they start running from newly compromised account.
And I will send an email again, and again, until I stop seeing those ads. Otherwise, I don’t believe anyone at Google AdWords is working on this.
I hope the “brains” will figure something out soon as this has been lasting for too, too long.
Only slight annoyance is that they suspended our legitimate ads while they were investigating the account, but I guess that's fair enough and I'm assured they should restart soon.
You will need to download what you can salvage and get ready to set up a new account. And even with that, you will need Google's help to turn the new account on.
If you just wait, nothing will happen as your email, domain, credit card etc have all been logged in the Google system as a potential problem.
The issue that I worked on, we were down for over one week, but the Google team was absolutely excellent in helping. However, the scammers have already targeted our client's new account and have been trying to break in.
In our case it appears that the client responded to what looked like a legitimate email message from Google and shared his information. They not only racked up a $10,000 bill on his American Express card in ONE DAY, but ran account optimization on all his ad groups to trash the information and installed new campaigns and locked him out of his own Google Account master user at the same time.
I would recommend working closely with Google, but downloading your account now, and getting primed to set up a new one with Google's help. They will not be able to transfer your click history and so you do start all over again. They will help you move your Analytics account over to your new account if you had one tied to your old account, you just have to ask AdWords support for help. It is best to call on the phone for all of this - faster. Here's the phone number: AdWords Support: (866) 246-6453.
Good luck and don't waste time waiting for your account to be turned on again. It will not be.
I was offered 3 options for getting the money back:
1. Have a credit for the amount taken put on the adwords account - this would lead to the account being reactivated "shortly thereafter".
2. Getting a refund issued by Google back onto the card the funds were taken from - this would keep the account suspended while the refund was being processed (no timescale given).
3. Doing a chargeback. This would blow the account and we would need to open a new one.
I went with option 1 and then got the email from our account manager saying she would let me know when the account was back on; no timescale given but I was assured previously on the phone that they understood it was urgent and it wouldn't be a long period.
It would be a real problem if we can't get it back quickly - it's drives a significant proportion of our revenue - but I'll give them a bit more time based on the assurances I've received.
I'll definitely take your advice to download the account info though, that's something I do no want to lose.
Does Google say anything about working with the FTC or FBI or anything? I love hearing that they are working well with you on this, very good to hear - but the cause must be rooted out eventually, in my opinion.
Those adwords phisihing emails seem like the place where law enforcement should start, and work with G to set a honey pot and snare the farkers.
Hope you're back up and running optimally soon, thanks for sharing.
And somewhere in this thread, brute force was mentioned... I hope my peers here are using very strong password / credential practices!
Always use encryption locally to store passwords. Ideally do not store them at all locally on the PC you operate daily unless absolutely necessarily. Even better if you have exceptional memory and can remember the strings.
Never click on anything that gets sent in emails from Google.com
We recieved 2 different repayment options.
I was really very impressed with the way google dealt with the problem.
It gonna be interesting to see what it do to my quality score though.
I think it's still taking too long and that some of Google's searchers are suffering by getting caught into this scheme, whatever that is (after getting a virus).
Judging from what others have said that, if adwords downtime is important to your business, is to make sure you get the credit applied to the account rather than a refund. We're up and running again 5 days after the initial problem, and I think it should have been faster - the issue yesterday seems to have been a one-off error.
My Adwords account has been compromissed yesterday.
A new campaign has been created with a daily budget of 12.000 euro, of which over 10.000 euro has been spend. Ofcourse I did not create this account myself.
1. Customer ID: #*$!#*$!#*$!#*$!xx
2. The account was first compromissed at 23 Aug 2008 00:01:19 (see attached screenshots of my 'My Change History' - Picture 3.png)
3. A new campaign 'Campaign #2' has been created and 85 keywords have been added with a Max cpc of 5 euro (See attached screenshot Picture 1.png) . All keywords are related to anti-virus software and seem to be pointing to the domain name antivirus-2008-noadware.com (where you can download Antivirus XP 2008 - see attached sreenshot Picture 7.png) They also changed settings so I would no longer receive notication messages by email. They 'planned' this hack a short time before a planned outage of the Adwords system, for maintenance, would take place.
4. My home IP-address: #*$!#*$!#*$! and IP-address at work is: #*$!#*$!xx (I also sometimes login using my iPhone or another computer)
5. I did not share nor was uncarefull with my login credentials and am not aware I've been targeted with a phishing email/website.
I did some investigation myself and it seems like this 'Antivirus XP 2008' is a fraud and it installs some sort of spyware on your computer. Please find attached the whois details of the domainname the campaign was pointing to.
Action's I've taken after I found out my account has ben compromissed:
1. Paused the Campaign #2
2. Cancelled my Adwords account
3. Changed login credentials of my Google account.
I am shocked this happened to me (it seems to happen more often, see for example: [webmasterworld.com...] and hope you are willing to investigate in what happened.
Could you please hold my bankingaccount from being depited as I have nothing to do with this campaign, it concerns such a big sum of money I will run into problems if this is taken out of my account.
Would it help your possible investigation if I would file a report at the Police?
Hoping you can help me with this problem.
Edit: See: [siteadvisor.com...]
If you are concerned I would certainly phone Adwords support rather than just emailing them. Even if you've not been given the support number (I'm not sure if this goes out to all adwords users) you can find it easily enough (Nancy99 quoted the US number earlier in this thread).
would be nice if this gets sorted quickly
Sure it would, but it will probably take much longer to sort out individual cases.
And that is understandable. It takes long time in order to put all pieces together, plus always take into account that Google is a huge company – the bigger the corporation, the more time things take to be done.
I did express my opinion here and to some of Google’s support team members that such ads should not take more than 5 minutes to run, before taken down. Whenever I see them, I send an email or phone support and report them, with no much thinking.
I even have a reply from support that I should not be sending such emails anymore, as they’re on a top of it... do you think so?
One fact coming out from here is that Google AdWords is still struggling with invalid display URLs.
The base for this claim is that over 90% of these ads were having invalid display URL.
So, why the system did not catch them at the first place, but they kept appearing in approved premium (yellow) area?
Several measures could prevent this happening at all, or reduce its impact a lot:
- Fix invalid display URL issue.
- Implement automated flagging system that would trigger an alert on anything in a connection to so called “antivirus xp 2008”.
- If Google AdWords’ system is capable of checking the landing page content, in order to calculate QS, the system could also be tweaked to “figure” if it's dealing with a site from a “no no” list. That way, regardless of display URL, the ad could be stopped, based on the findings about landing page (like URL itself).
- Since this seems to be a serious issue, create temporary alerts that will flag any virus/antivirus related ad text. Check it manually before letting it out. In addition, the alert could be configured with some conditions, like keywords, new campaign, new ad group, new this, new that.
- Why the system is letting word “best” going through in ad text, another key for alerting.
- Educate front line people about this. I did have responses like “huh”, “how do you know”, and so on. Come on, this thing is so easy to recognize. Just watching the PPC space for top 5 or top 10 antivirus related keywords teaches you what ads are showing there on a regular base. Anything new, especially with bit weird ad text and silly display URLs is suspicious.
Where is all that creativity of Google? This is important to get nailed down as it affects both advertisers, and (for Google) more importantly users that get caught into that “antivirus offer”.
This could be handled better, certainly much better.
"Thank you for your email. I understand that you are concerned about unauthorised activity in your AdWords account following a new campaign being set up with a daily budget of €12,000.
Your complaint has been forwarded to our Specialist team for investigation. As a precaution, your account will be suspended during our investigation, which may take up to several working days. At the end of our investigation, we'll reactivate your account and reimburse you for any costs accrued due to the unauthorised activity. We'll email you at that point to let you know the result."
It appears as a regular, Please submit your payment information, telling you google were unable to process your payment.
The sign in link to adwords looks okay, but when you look at the actual link it goes to www.(adwords domain part}.svoipt.cn/....