Welcome to WebmasterWorld Guest from 3.81.29.226

Forum Moderators: buckworks & eWhisper & skibum

Google Ads Malicious Code (did Google just up their filter?)

     
2:47 pm on Nov 5, 2019 (gmt 0)

Full Member

10+ Year Member

joined:Dec 2, 2008
posts:229
votes: 4


Greetings all.

We got all our ads disapproved and had cited back to us:


This email is in regards to your Ads Account XXXXXXX wherein your ads disapproved due to malicious and unwanted software.

Google doesn't allow the promotion of sites infected with malware, or the sale of malicious software. In some cases, you may be unaware that you have malware on your site. But to protect the safety and security of our users, we stop all ads pointing to sites where we find malware. See how to fix malware problems below.

"Malicious software" refers to any software specifically designed to harm a computer or the software it's running. Malware can steal sensitive information (like credit card numbers or passwords) or even send fake emails from a user's email account, often without the user's knowledge. Malware includes, but isn't limited to, viruses, worms, spyware, and Trojan horses.

What have we found?

Our latest scan from your site came back, and still detects Malware/links that are potentially harmful to you and to the site visitors. It seems that your site (landing page) redirects users to malicious links OR triggered when clicked. Below is the compromised page:

[xxxxxx...]

What needs to be done?

Please contact your webmaster to remove these links and check for other potentially harmful links. You may assess your site using Google Search Console (previously known as Webmaster Tools). You can click on this link for further details OR refer to stopbadware sites for any guidance.

Next Steps:

Request you to make the necessary changes to the website and reply to this email thread so that I will be able to get your website reviewed by the concern team. Once the website complies with all the Google policies, suspension on your website could be revoked and we can help in getting your ads approved.

Once Google Webmaster Tools reports that your site is clean, please reply to this email so that i can escalate it with the concerned team and get your website reviewed.

I hope this helps and please reply to this email if you need further clarification or assistance on this.

Have a wonderful day ahead!


I don't like being told to have wonderful day when clearly the email has been pre-drafted and while this has been set my service delivery is affected. Just a note for Google there.

Here are some additional bits of info:

- No change to website codes (like it has been for at least 6 months now)
- No popups on arrival, only on exit (like it has been for at least 6 months now)
- No dropping out of the Search Index (I checked across lots of browsers, even Chrome still had it in Google Search)
- No Manual actions in Google Search Console.
- No Malware on scans of website.

So, yeah Google I'm having simply a wonderful day - sorry did I also say I'm not actually getting paid to fix this problem either because the client doesn't pay for that they pay for ad-delivery and if nothing has changed on the website then where's the problem?

This leads me to my question about whether or not Google has upped some of it's filters against websites recently. I could not find anything posted on the other SEO usual suspects hubs so thought I would ask my learned and probably equally frustrated colleagues over here :)

Cheers.

2Clean
4:38 pm on Nov 5, 2019 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 9, 2001
posts:5838
votes: 163


>> still detects Malware/links that are potentially harmful

They could certainly be more informative, couldn't they!

Something else to rule out: I'm wondering if the site is linking to something external that has become infected.

That has created problems for me from time to time. I link to a lot of sites and more than once I've received warnings because something I was linking to had become infected. The link triggered Google's warning behaviour even though the malware was on someone else's site, not mine. Removing the link removed the warning.
6:38 pm on Nov 5, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 20, 2006
posts:2176
votes: 94


Go through the steps here: [support.google.com...]

If you have any downloadable files, look closely there.

I have seen this happen many times, and more often than not, an infection is there, false alarms are somewhat rare.
On our own eComm store, I was at first indignant, then we found an intruder, my sysadmin had intentionally left a port open so he could get easy access overseas, it was found by a hacker, who then got it and did all sorts of things. So before you say definitely (like I did), that no software changes were made, look harder.

Good luck!
8:28 am on Nov 6, 2019 (gmt 0)

Full Member

10+ Year Member

joined:Dec 2, 2008
posts:229
votes: 4


Thanks @buckworks and @rhinofish

Should we assume that the domain that the link that is included in that message (which in this case is simply the domain name) indicates where the problem is? Or do we need to assume that *somewhere* on that domain there is a problem?

I ask because the cited URL has 8 external links that are all absolutely fine, which means I am wondering whether Google just gives you the domain name and says "good luck with that mate".

In the Security Issues report, "Malware" refers to web-based malware that operates without explicit user action."Harmful downloads" refers to malware or unwanted software downloads that must be explicitly downloaded by the user.

"Security issues: No issues detected"

I'll have another look but frankly if there is a problem Google should just tell you where it is, it's plain lazy that they can't be specific about the problem.
8:00 pm on Nov 6, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 20, 2006
posts:2176
votes: 94


"Our latest scan from your site came back, and still detects Malware/links that are potentially harmful to you and to the site visitors. It seems that your site (landing page) redirects users to malicious links OR triggered when clicked. Below is the compromised page:"

Seems pretty specific to me.
They pointed you to the page.
Malware can change it's behavior, so it's not certain that you can "see" it doing its dirty deeds.

Look at the code on your page, compare it to a backup of your page from more than 60 days ago, see what new code may have found its way onto your page.

Since they mentioned redirects too, have your webmaster look into any redirects that are hopping thru (or to) any other domains or sub-domains besides yours.
9:20 am on Nov 12, 2019 (gmt 0)

Full Member

10+ Year Member

joined:Dec 2, 2008
posts:229
votes: 4


Hi there.

So, kick back in your chair....here's an update.

Google Ads email message simply contained the domain name. This was Tuesday. PPC Manager spent 4 hours with Google support over the course of the next 3 days trying to find out what the problem was. Each time support team said that there was malware, but they could not be specific as to the reasons why. Ads were getting manually approved and then the next day disapproved.

Today, one week on we finally get a message in Google Search Console (GSC). That is one week after the first Google Ads notifications kicked in. It's taken a whole week for that to arrive. What we now see is a specific URL in our GSC account. That URL contains a piece of malware that was injecting itself only if there was a GCLID parameter in the URL. In all other situations there would be no code injection.

What has made this even harder is that both Google Chrome and Internet Explorer don't detect the malware in as much as showing the famous RED MESSAGE on the page saying the page is compromised.

The only thing funny in all of this is that a browser competitor, Firefox blocked the malware based on an "advisory provided by Google Safe Browsing" you couldn't script this stuff for a play if you tried.

Thanks RhinoFish, yes we are looking at change dates on the PHP files :)

2Clean

ps. Always use Firefox :=)
11:17 am on Nov 12, 2019 (gmt 0)

Full Member

10+ Year Member

joined:Dec 2, 2008
posts:229
votes: 4


Hold on, it's gets worse.

Turns out it is just a specific gclid= parameter that is causing the malware alert, even on sub-domains of the property where there are completely different CMS being used. Simply add the specific GCLID parameter to any url on any page or any subdomain (within the same client domains) and you get this warning. Change the GCLID and the same page is completely fine.
5:31 pm on Nov 12, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 20, 2006
posts:2176
votes: 94


2clean, I know you know this, but for others...

gclid is Google Click ID, it is the parameter that Google's ad servers append to the inbound link (when a person clicks on a Google ad.
From this gclid value, Google Analytics can unwind the UTM parameters (like campaign, source, medium, etc), and Google can use the gclid number to tie sale / lead activity back to click that preceded the activity, in other words, gclid values are needed for Google tracking to work properly.

To me, what is happening here is, to hide the malware from people seeing it, but to make sure it fires most of the time, the malware programmer has setup a conditional set of code... if gclid is present, do bad things; if gclid is not present, stand down to avoid detection.

Normally, people who clicked on Google ads should be the only visits who have gclid parameters appended to the incoming requested url.

Further, 2clean is saying that only certain gclid values make the malware fire, not merely the presence of any gclid value(s), like the malware is able to target certain visitors, based on their specific gclid value.

Strange stuff! If it is a hacker, Google will sort this out, they can't have bad actors effing with gclid values, they are too critical to good tracking of all things Google.

2clean, I hope Google provides an abundance of help and info to you! (Yes, I'm definitely an optimist!) I hope your justified frustration turns to joy soon! And that somewhere, a hacker, has a truly #*$!ty Thanksgiving once Google hammers his / her nefarious, irritating tactics to teentsy little pieces of oblivion.
9:23 am on Nov 13, 2019 (gmt 0)

Full Member

10+ Year Member

joined:Dec 2, 2008
posts:229
votes: 4


Hi there.

Thanks for providing some extra clarity around the GCLID for others. It's certainly a weird situation where you find yourself saying to Google "Exactly how I am supposed to make changes to the GCLID which you are adding to my URLS and which you say is triggering malware"

Certainly whatever it is is very clever, can you imagine what might happen on some generic verticals if you were able to intercept some of the big travel providers GCLIDs and redirect that session to a similar page but which goes through a competitor. I doubt the most part of users would nowadays even remember the domain they clicked on and just assume it was the same.

Ouch.
8:57 am on Nov 14, 2019 (gmt 0)

Full Member

10+ Year Member

joined:Dec 2, 2008
posts:229
votes: 4


So in the end they have been able to identify a specific piece of code on the website that for them is causing this problem. This is a specific JavaScript from a third-party that is also a very big company too. This would have been so much easier had the reporting and identification tools from Google had isolated this to begin with rather than provide GCLID codes that sent us down the wrong path of analysis. We use GTM so it's is literally three button clicks to make this change. It's taken over a week to get to this answer, and it will take less than 30 seconds to fix it. Google needs to work on their tools they are a tech company. The amount of money they will have lost will pale in comparison to fixing the reporting tools.

Google has sent me an ALL CLEAR message in Google Search Console, but the Ads have already been disapproved. In a week I will get another search console message for sure. At least now we know what needs to be changed. Come on Google fix your systems!

2Clean.
6:43 pm on Nov 14, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 20, 2006
posts:2176
votes: 94


I hope Google works with that 3rd party, to pro-actively avoid this happening to 1,000s of others.

Congrats on getting this solved!