Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks & eWhisper & skibum

Message Too Old, No Replies

Adwords Account Hacked

seems to be a bit of it about



11:05 am on Aug 14, 2008 (gmt 0)

10+ Year Member

More a heads up than anything; we've just had someone compromise our adwords account - they added a new campaign with an insane budget promoting some dodgy "anti" virus site. Been doing a bit of searching around and have seen other recent reports of hacks with a similar mo.

Cheeky person paused our campaigns as well.. Caught it within 24 hours and I understand Google will refund charges for fraudulent activity, so no real harm done.

Best tip I've found is that if you go Campaign Management > Tools > My Change History you can see all the changes made to the account. This saved me a lot of time checking each ad in our legitimate campaigns to check the destination url hadn't been changed. Also revealed that he'd turned off all email notification.

Not sure how they got our details, although I'm as sure as I can be that it's not due to malware on a local machine. Don't think it was phished either although I can't be 100% positive. Maybe brute forced, or it got exposed some other way.

Really weird thing was that the destination domain in the fraudulent ads doesn't exist.. can't figure that out for the life of me..

Anyone got any tips for what to do in this situation?

[edited by: engine at 4:02 pm (utc) on Aug. 15, 2008]


11:33 am on Aug 14, 2008 (gmt 0)

10+ Year Member

I received a couple of dodgy emails with "Your Adwords account is suspended" or something similar within the last week so I think they are attacking some accounts at the moment.

When you hover over the link it sends you to log into your account it was something like adwords.google.com.example.com so im pretty sure they are going for it at the moment.

1 tip is to never click on any links via emails and always log into accounts from your bookmarks/favourites lists.

This goes for bank/paypal/ebay or any website that requires a password!

[edited by: jatar_k at 2:46 am (utc) on Aug. 15, 2008]
[edit reason] examplified [/edit]


2:59 pm on Aug 14, 2008 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Is it the Windows XP Anti Virus? That's actually a virus in itself; I spent an hour on the phone a couple weeks ago walking a clueless client through removing it from her system so she could get the company payroll done. I think someone (smartcompany?) entered an item about it in this forum previously.

I wondered how they were paying for the ads, I assumed it was stolen credit cards, but stolen accounts makes even more sense.


3:37 pm on Aug 14, 2008 (gmt 0)

10+ Year Member

I've seen a couple of threads on here about the Windows XP Anti Virus thing here, and no it wasn't that specifically, although the same sort of thing. Although as I said the domain promoted doesn't actually exist... They'd got several hundred clicks to it so I guess that's a good thing but I can't figure it out.

We've been getting a lot of the phishing emails that dazz mentions - purports to be an adwords billing problem notification but links to a .cn domain. We'd actually been having some genuine billing problems around the time they started and although before today I would have sworn we hadn't been fooled by it, being realistic that is probably the most likely way for our account details to have leaked.


4:33 pm on Aug 14, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

I think someone (smartcompany?) entered an item about it in this forum previously

Thanks for promoting me from "small" to "smart" netmeg. ;)

Here are the two related posts:



All this is proving all of us that are paranoid were right. There’s one that says that the only good admin is the paranoid one, waiting for his network to go down any minute. This applies here too, 100%.

Why this “blah” talk?

Well, almost every day, for the last two weeks or so, I’ve been sending keywords and ad copies to support. On few occasions, I would get reply with big thanks. Finally, I got the one asking not to send examples anymore as the policy team reviews everything what is in violation.
The reason why I was sending all those is simple: To help and speed up the process so it’s easier to nail those down and finally shut them.

Based on compromised account number, you can see how important this is.

The example as of now is that on keyword “antivirus”, on Google.com (US) I see 4 (four) ads at the same time, with some crazy display URLs. 4 ads of which three are in premium yellow area!

Even worse on Google UK (six), and same on Google Canada, six again.

Now, is the team really on a top of it? If I, as an individual, am able to see them almost at any time during the day, how Google AdWords’ policy team is handling those?
I would take it that those should not run for more than 3 minutes, whenever they start running from newly compromised account.

And I will send an email again, and again, until I stop seeing those ads. Otherwise, I don’t believe anyone at Google AdWords is working on this.

I hope the “brains” will figure something out soon as this has been lasting for too, too long.


5:21 pm on Aug 14, 2008 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Thanks for promoting me from "small" to "smart" netmeg. ;)

It's an upgrade! ork ork


8:39 pm on Aug 14, 2008 (gmt 0)

10+ Year Member

I was seeing up to 3 adword ads at a time on the first page for the phony antivirus on every phrase matched search for "software" or "PC" today. I tried contacting the Adwords people in the online chat, but left it after awhile of being the third in queue, maybe they got my original message anyways. I noticed they were gone not too long after I noticed them.


10:49 am on Aug 15, 2008 (gmt 0)

10+ Year Member

I've been impressed with Google's handling of this. Been sorted out quickly and we've been offered either a refund or a credit on our adwords account.

Only slight annoyance is that they suspended our legitimate ads while they were investigating the account, but I guess that's fair enough and I'm assured they should restart soon.


1:04 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

I have had experience with this as well. Please be aware that once your account is compromised. Google will not restart the account. They will never activate that account again.

You will need to download what you can salvage and get ready to set up a new account. And even with that, you will need Google's help to turn the new account on.

If you just wait, nothing will happen as your email, domain, credit card etc have all been logged in the Google system as a potential problem.

The issue that I worked on, we were down for over one week, but the Google team was absolutely excellent in helping. However, the scammers have already targeted our client's new account and have been trying to break in.

In our case it appears that the client responded to what looked like a legitimate email message from Google and shared his information. They not only racked up a $10,000 bill on his American Express card in ONE DAY, but ran account optimization on all his ad groups to trash the information and installed new campaigns and locked him out of his own Google Account master user at the same time.

I would recommend working closely with Google, but downloading your account now, and getting primed to set up a new one with Google's help. They will not be able to transfer your click history and so you do start all over again. They will help you move your Analytics account over to your new account if you had one tied to your old account, you just have to ask AdWords support for help. It is best to call on the phone for all of this - faster. Here's the phone number: AdWords Support: (866) 246-6453.

Good luck and don't waste time waiting for your account to be turned on again. It will not be.


2:16 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

Hmm - I have a personal email from our account manager saying that it would be reactivated.

I was offered 3 options for getting the money back:

1. Have a credit for the amount taken put on the adwords account - this would lead to the account being reactivated "shortly thereafter".

2. Getting a refund issued by Google back onto the card the funds were taken from - this would keep the account suspended while the refund was being processed (no timescale given).

3. Doing a chargeback. This would blow the account and we would need to open a new one.

I went with option 1 and then got the email from our account manager saying she would let me know when the account was back on; no timescale given but I was assured previously on the phone that they understood it was urgent and it wouldn't be a long period.

It would be a real problem if we can't get it back quickly - it's drives a significant proportion of our revenue - but I'll give them a bit more time based on the assurances I've received.

I'll definitely take your advice to download the account info though, that's something I do no want to lose.


3:37 pm on Aug 15, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

Aargh, somebody needs to be jailed forever. Perps aren't just stealing money, but are wreaking such havoc as well, and they know it.

Does Google say anything about working with the FTC or FBI or anything? I love hearing that they are working well with you on this, very good to hear - but the cause must be rooted out eventually, in my opinion.

Those adwords phisihing emails seem like the place where law enforcement should start, and work with G to set a honey pot and snare the farkers.

Hope you're back up and running optimally soon, thanks for sharing.

And somewhere in this thread, brute force was mentioned... I hope my peers here are using very strong password / credential practices!


4:10 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

Did anyone figure out how they are getting the passwords?


4:33 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

phishing emails that look like they are from Google Adwords.


5:07 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

I've seen those, but never clicked on anything, is there a new bugin outlook express or something they are using to execute code?


5:42 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

No they're just links - it looks like a billing problem notification from adwords; presumably to a mucked up page that looks like the adwords login page. I'm not certain but this is the most likely way that our account was compromised (which is embarrassing as hell :().


6:11 pm on Aug 15, 2008 (gmt 0)

10+ Year Member

I know I never clicked on one, is there something else out there in the wild we don't know about?


1:04 am on Aug 18, 2008 (gmt 0)

5+ Year Member

This happened to us nearly the same, except it was traced back to a phishing email someone clicked on and logged in. Ads were directed to an insurance site of the nature I couldn't quite understand, but it really didn't matter. Our time to resolve and get a credit was unaccetable, nearly 3 weeks though. We were credited back on the card and never given the option to credit the account. It appears had we got that option we would have jumped on it!


6:23 am on Aug 18, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

This might seem obvious, and probably doesn't address the issue here, but some words of wisdom I was learned after a similar debacle were:

Always use encryption locally to store passwords. Ideally do not store them at all locally on the PC you operate daily unless absolutely necessarily. Even better if you have exceptional memory and can remember the strings.

Never click on anything that gets sent in emails from Google.com


9:17 am on Aug 18, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

We got our account reactivated in less than 7 days from initial reporting to our account manager.

We recieved 2 different repayment options.

I was really very impressed with the way google dealt with the problem.

It gonna be interesting to see what it do to my quality score though.


10:16 pm on Aug 18, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

It's still there, one ad at the time. Google has brought one down, and sure, new one is going on right now, approved again (premium area).

I think it's still taking too long and that some of Google's searchers are suffering by getting caught into this scheme, whatever that is (after getting a virus).


11:25 am on Aug 19, 2008 (gmt 0)

10+ Year Member

All seems to be up and running again now. A bit of confusion yesterday when the ads - which had restarted over the weekend - stopped again, but everything seems normal now.

Judging from what others have said that, if adwords downtime is important to your business, is to make sure you get the credit applied to the account rather than a refund. We're up and running again 5 days after the initial problem, and I think it should have been faster - the issue yesterday seems to have been a one-off error.


10:46 pm on Aug 19, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

I wonder if this is ever going to stop. Right now, the two ads are in the space. That means another two hacked accounts.

I remember asking a rep to pass my suggestion about being able to see user login logs. I'll post it into wish list thread.


8:21 am on Aug 24, 2008 (gmt 0)

5+ Year Member

Same thing happened to me yesterday. I've send an email to Google explaining what happened. I'm really shocked this kind of things are possible and I was targeted. Hoping Google will solve this issue and the people who hacked into my account will somehow be caught and tied to the highest tree in the neighbourhood.


My Adwords account has been compromissed yesterday.
A new campaign has been created with a daily budget of 12.000 euro, of which over 10.000 euro has been spend. Ofcourse I did not create this account myself.

1. Customer ID: #*$!#*$!#*$!#*$!xx

2. The account was first compromissed at 23 Aug 2008 00:01:19 (see attached screenshots of my 'My Change History' - Picture 3.png)

3. A new campaign 'Campaign #2' has been created and 85 keywords have been added with a Max cpc of 5 euro (See attached screenshot Picture 1.png) . All keywords are related to anti-virus software and seem to be pointing to the domain name antivirus-2008-noadware.com (where you can download Antivirus XP 2008 - see attached sreenshot Picture 7.png) They also changed settings so I would no longer receive notication messages by email. They 'planned' this hack a short time before a planned outage of the Adwords system, for maintenance, would take place.

4. My home IP-address: #*$!#*$!#*$! and IP-address at work is: #*$!#*$!xx (I also sometimes login using my iPhone or another computer)

5. I did not share nor was uncarefull with my login credentials and am not aware I've been targeted with a phishing email/website.

I did some investigation myself and it seems like this 'Antivirus XP 2008' is a fraud and it installs some sort of spyware on your computer. Please find attached the whois details of the domainname the campaign was pointing to.

Action's I've taken after I found out my account has ben compromissed:
1. Paused the Campaign #2
2. Cancelled my Adwords account
3. Changed login credentials of my Google account.

I am shocked this happened to me (it seems to happen more often, see for example: [webmasterworld.com...] and hope you are willing to investigate in what happened.
Could you please hold my bankingaccount from being depited as I have nothing to do with this campaign, it concerns such a big sum of money I will run into problems if this is taken out of my account.

Would it help your possible investigation if I would file a report at the Police?

Hoping you can help me with this problem.

Best regards

Edit: See: [siteadvisor.com...]


1:28 pm on Aug 24, 2008 (gmt 0)

5+ Year Member

Well 027viaa, Exact the same thing happened to my account. The exact procedure, the same 85 keywords at 5€ bids... they used my Credit card, over 9thousands €. It's happenning a lot lately. I just emailed Google with al details. I´m pretty sure that they will solve this problem, since it has happened to many of us now.



6:54 pm on Aug 24, 2008 (gmt 0)

5+ Year Member

Well I'm still worried....would be nice if this gets sorted quickly.


8:22 pm on Aug 24, 2008 (gmt 0)

10+ Year Member

027viaa, I wouldn't worry if it's getting your money back that you are concerned about. Google are always very clear that they will reimburse you in cases like this. You can always do a chargeback at the end of the day if there was a problem there (be prepared to lose your current account if you do this).

If you are concerned I would certainly phone Adwords support rather than just emailing them. Even if you've not been given the support number (I'm not sure if this goes out to all adwords users) you can find it easily enough (Nancy99 quoted the US number earlier in this thread).


8:27 pm on Aug 24, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

would be nice if this gets sorted quickly

Sure it would, but it will probably take much longer to sort out individual cases.
And that is understandable. It takes long time in order to put all pieces together, plus always take into account that Google is a huge company – the bigger the corporation, the more time things take to be done.

I did express my opinion here and to some of Google’s support team members that such ads should not take more than 5 minutes to run, before taken down. Whenever I see them, I send an email or phone support and report them, with no much thinking.

I even have a reply from support that I should not be sending such emails anymore, as they’re on a top of it... do you think so?

One fact coming out from here is that Google AdWords is still struggling with invalid display URLs.
The base for this claim is that over 90% of these ads were having invalid display URL.

So, why the system did not catch them at the first place, but they kept appearing in approved premium (yellow) area?

Several measures could prevent this happening at all, or reduce its impact a lot:

- Fix invalid display URL issue.
- Implement automated flagging system that would trigger an alert on anything in a connection to so called “antivirus xp 2008”.
- If Google AdWords’ system is capable of checking the landing page content, in order to calculate QS, the system could also be tweaked to “figure” if it's dealing with a site from a “no no” list. That way, regardless of display URL, the ad could be stopped, based on the findings about landing page (like URL itself).
- Since this seems to be a serious issue, create temporary alerts that will flag any virus/antivirus related ad text. Check it manually before letting it out. In addition, the alert could be configured with some conditions, like keywords, new campaign, new ad group, new this, new that.
- Why the system is letting word “best” going through in ad text, another key for alerting.
- Educate front line people about this. I did have responses like “huh”, “how do you know”, and so on. Come on, this thing is so easy to recognize. Just watching the PPC space for top 5 or top 10 antivirus related keywords teaches you what ads are showing there on a regular base. Anything new, especially with bit weird ad text and silly display URLs is suspicious.

Where is all that creativity of Google? This is important to get nailed down as it affects both advertisers, and (for Google) more importantly users that get caught into that “antivirus offer”.

This could be handled better, certainly much better.


9:19 am on Aug 25, 2008 (gmt 0)

5+ Year Member

Update: received an email from Google:

"Thank you for your email. I understand that you are concerned about unauthorised activity in your AdWords account following a new campaign being set up with a daily budget of €12,000.

Your complaint has been forwarded to our Specialist team for investigation. As a precaution, your account will be suspended during our investigation, which may take up to several working days. At the end of our investigation, we'll reactivate your account and reimburse you for any costs accrued due to the unauthorised activity. We'll email you at that point to let you know the result."


6:04 pm on Aug 25, 2008 (gmt 0)

10+ Year Member

I have actually seen one of these Phishing emails.

It appears as a regular, Please submit your payment information, telling you google were unable to process your payment.

The sign in link to adwords looks okay, but when you look at the actual link it goes to www.(adwords domain part}.svoipt.cn/....


6:10 pm on Aug 25, 2008 (gmt 0)

10+ Year Member

rogix.cn is another domain hosting it
This 41 message thread spans 2 pages: 41

Featured Threads

Hot Threads This Week

Hot Threads This Month