View Full Version : Booby Traps Hide in Google Sponsored Links

06-14-2007, 07:47 PM

Roger Thompson of Exploit Security Labs posted today about finding poisoned Google sponsored links that surreptitiously direct searchers through malicious sites that attempt to surreptitiously install malware on your PC.
According to Thompson (http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html), if you ran a Google search for "BetterBusinessBureau" from April 10 through about 11am EST this morning, you'd have stood a one in three chance of seeing a top sponsored link with green link text that read www.bbb.org - just like the real search result. If you clicked that sponsored link, you'd even end up at the regular BBB site as per normal.
But before you got to the bbb.org site, you'd invisibly pass through a malicious site that would try to exploit an Internet Explorer browser hole. The site wouldn't have shown up in your browser, and you wouldn't have had any way of knowing about the redirection ahead of time. Unlike with real search results, you don't see the destination URL if you pass your mouse over a Google sponsored link.
Our colleagues over at InfoWorld have some more background on this in a story called: Experts: Google Doesn't Police Advertisers (http://www.pcworld.com/article/id,131285-page,1/article.html).

You'd have had no idea that you passed through the poisoned site on your way to the BBB - or that if your PC lacked a critical security patch, the site would have surreptitiously downloaded malware onto your computer meant to steal banking credentials. (When Thompson e-mailed a sample to me, my antivirus identified it as Infostealer.Bancos and deleted it from my e-mail.)
I haven't yet heard back from Google to see if they can verify these attacks, but Thompson has screen shots with results from his LinkScanner browser add-on that appear to identify the malicious links.
When I talked with Thompson, he said the attacks attempted to hit an old, but still commonly attacked Windows MDAC vulnerability (http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx) in Windows XP and Windows Server 2003. So if you were smart enough to keep your system patched you'd have been safe from these particular exploits.
But it looks like the framework is still in place for other Internet criminals to come along and pay for a similar sponsored link for other search results. It's not unusual to redirect through an advertising service site that records your passing for legit sponsored links, Thompson says. When I just checked, Ask.com also hides the URL for sponsored links, while Yahoo and MSN display what looks like redirection links at yahoo.com and msn.com.
Also, a subdirectory of the malicious redirection site used in the Google attacks still appears to host the MDAC exploit.
I'd love to hear from Google whether they screen purchasers of sponsored links or the redirection URLs they use. I hope so, since after this and the MySpace malicious banner ad fiasco (http://www.pcworld.com/article/id,126488-page,1/article.html) from last year, online crooks now seem to happily use ads as an attack vector.

In the meantime, you can use XPL's Linkscanner (http://www.explabs.com/products/) and McAfee's SiteAdvisor (http://www.siteadvisor.com/), both available in free versions, to give you some advanced warning about dangerous search results.

06-15-2007, 10:02 AM
Interesting article, thanks. will pass this onto a friend who had details stolen recently & couldn't work out how it was done

Personally I completley avoid it....Linux & Firefox ;)

09-11-2007, 02:47 PM
no way??? although i keep my computer updated i am never clicking on a goolle ad ever again!


09-16-2007, 12:40 PM
Thanks Ladyeye, is there nothing these scumbags will stop at? I guess not where money is concerned. The internet makes Dodge City look like a nunnery. LOL

10-21-2008, 12:30 AM
Unlike other Anti-Virus or Internet Security utilities, ca Anti-Virus 2008 includes Website Verification tools and Link Validators as standard to protect from re-directs and ghosted applications.

VISTA once proclaimed it would have such protection included, but don't count on it. Same thing for the VeriSgn and Yahoo's "validated link" programs and how they tried to get all the browsers to adopt the practice (they discovered they would effectively limit their advertiser pool by about 30% if they implemented such a plan and departed from their hands-off "surfer beware" position). It's all about the money, unfortunately, and Google is the worst offender of all time.

Download a FreeTrial of CA Anti-Virus 2008 Here (http://shop.ca.com/downloads/free_trial_software.aspx)