July 26, 2017

Google Ads Led To PC Infections

Paid search ads appearing in Google’s search result pages held a trap for people who clicked on them when searching for certain keywords.

Google Ads Led To PC Infections
Google Ads Led To PC Infections

The Better Business Bureau and cars.com were being exploited in Google searches by criminals seeking to drop malicious software onto a victim’s computer.

That discovery came from Exploit Prevention Labs, whose Roger Thompson blogged about it. Their researchers began to notice exploits detected with the company’s LinkScanner on ads related to the BBB and cars.com.

People clicking on the unsafe ads were passed through a malicious domain on their way to the legitimate destination:

It sure looks like (the paid search ad) will take you to a BBB website, and that’s where you end up.

First, however, it takes the unwary traveler through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on your system.

The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim.

As with the majority of attacks these days, this one aims for financial gain. Thompson noted that the post-logger will grab all the login credentials it can while specifically looking for those bank logins.

Part of what made the exploits effective has to do with the difference in how Google presents its organic versus sponsored results for a search query. Doing a mouseover of an organic link shows the destination URL in the browser status bar.

Do the same thing over a sponsored result, and no status bar preview appears. “Savvy search engine users will know that often these sponsored links will take you through a ‘Click-manager’ or other advertising service and so seeing your browser pass through smarttrack.org will appear benign enough,” Thompson wrote.

Naming the malware site smarttrack.org gives it the appearance of being a legitimate third-party tracking site. It’s a clever bit of social engineering.

Thompson said it appeared Google had shutdown the AdWords account serving those malicious advertisements. Exploit Prevention Labs still found a number of search strings where the results bring up links passing through smarttrack.org.

Such an easy exploitation of Google’s search advertising service, part of the ad business that delivers about 99 percent of Google’s revenue, presents a very jarring situation. If people lose trust in Google’s ads and cut back on what they click out of security fears, that could become a big problem even if Google addresses it quickly.

AddThis Social Bookmark Button

Tags: , , ,

About David Utter 902 Articles
David Utter is a business and technology writer for SecurityProNews and WebProNews.