Data Theft Scam Targets Google Ads
Google Inc. yanked paid advertisements linked to some 20 search terms that
online criminals had hijacked to steal banking and other personal information
from Web surfers looking for the Better Business Bureau and other sites.
It was unclear how many people were affected before the breach was discovered
this week, but computer security experts said Thursday the attack appears to
be isolated and only targeting Windows XP users who had not properly updated
They said the attack was unlikely to undermine Google's core business of selling
lucrative advertising links, which made up the bulk of the Mountain View-based
company's $3.08 billion in profit in 2006 and $1 billion in the first quarter
of 2007 alone.
Google said it dismantled the offending links and shut down the problem AdWords
accounts Tuesday. The company is working with advertisers to identify any other
malware-loaded sites that might be on the network, it said.
"We canceled the affected ads as soon as we were made aware of the problem,"
the company said in a statement. "Overall, Google is committed to ensuring
the safety and security of our users and our advertisers. We actively work to
detect and remove sites that serve malware to our users both in our ad network
and in our search results."
However, the experts said the infiltration of the Web's largest marketing network
raises questions for the entire search industry about how to screen advertisers
for those with nefarious motives.
The attack targeted the top sponsored links tied to Google search results,
installing a program on victims' computers to capture private information used
to access online accounts for 100 different banks.
"This is serious -- there's confidence in the links that are at the top,
whether they're sponsored or not," said Nick Ianelli, an Internet security
analyst with the federally funded CERT Coordination Center at Carnegie Mellon
University. "It's going to affect the whole industry, not just one provider."
The scheme, discovered by security software firm Exploit Prevention Labs in
New Kingston, Pa., involves a ruse by online criminals to fool Google searchers
into clicking through a rogue site loaded with malicious code.
The criminals created their own Web site and outbid legitimate businesses in
Google's AdWords program to secure prime placement of ads linked to popular
search terms. Users who clicked on those ads were then routed to the booby-trapped
site before being sent on to the legitimate destination.
Ken Dunham, director of the rapid response team at VeriSign Inc.'s iDefense
Intelligence, said criminals targeted Google's AdWords service in a similar
manner in a 2005 "phishing" attack.
In that case, the criminals created a site that mimicked a well known retailer,
placed an ad on Google, then stole users' credit card and other information
when they tried to order products, he said.
Dunham said Google likely implemented more stringent authentication policies
for its premium advertising members after that incident. However, he said it
would be too costly to impose the same verification procedures for all advertisers.
The current incident raises questions for search companies about how they screen
members of its advertising network and drives home the message about keeping
up with security updates, Dunham said.
"Attackers have been doing this for some time -- the old dog is still
doing old tricks and it's working," he said. "We need to realize this
is a known tactic, people should be aware of it and identify when this could
be an issue."
Roger Thompson, chief technology officer for Exploit Prevention Labs, said
Thursday that no further attacks of this type had been discovered, "but
the exploit site is still live and serving, so if someone finds a way to hook
to it, it'll fire."