Security Watch | Matt Hines | InfoWorld | Google AdWords used to serve exploits? | April 25, 2007 06:16 PM

MORE ENTRIES

Google AdWords used to serve exploits?

April 25, 2007 | Comments: (0)

Google AdWords used to serve exploits?

Are Google AdWords being used to serve up Web-based exploits? That's the contention of Roger Thompson, a security researcher at Exploit Prevention Labs, a small Web threat detection firm. Thompson, formerly of Computer Associates and Pest Patrol, posted a note on the company's blog on Tuesday that suggests that cybercriminals are gaming Google's popular AdWords text advertisements to trick users into visiting malicous Web sites that do "drive-by downloads" of keyloggers, Trojan horse programs and other malicious programs.

According to Thompson and EPL, exploit detections that appear to come from "household name sites" like the Better Business Bureau and cars.com have been popping up since April 10.

A closer inspection by EPL researchers revealed that the attacks were actually coming from a site called smarttrack.org, a Russian Web site that serves up a variety of Web exploits, Thompson told InfoWorld.

According to Thompson, cybercrooks appear to have purchased Google AdWords for popular terms like "Better business bureau," "Auto Show" "Auto tour" "Florida Business Opportunity Law" or "Modern cars airbags," then associated those terms with its exploit server. Google users who clicked on the sponsored links that appear on the right hand side of Google's search results were directed to the malicious server, which used an exploit of a recently patched vulnerability in Microsoft's Data Access Components (MDAC) to gain control over the vulnerable system and place a small downloader program on the PC. That program in turn, installed a back door program that gives hackers access to the machine and a so-called "Post Logger" banking Trojan. That program was specially tailored to monitor sessions on around 100 different banking Web sites and capture field information and any keystrokes whenever data was submitted from the banking customer's machine to the bank Web site, Thompson said.

The Post Logger even carried mock-ups of bank web pages designed to get customers to submit their "shared secret" -- a tidbit of personal information often used to distinguish legitimate customers from scammers, he said.

"This was a pretty sophisticated operation," he said.

Thompson and his colleagues counted around 20 compromised terms, both in English and German, and reported them to Google. Though the company has not replied to EPL, searches on some of the suspect terms, such as Better Business Bureau, returned Google results pages lacking any paid search terms -- a rare sight indeed.

(Click here to see a screenshot of Google search results -- minus any AdWords --for one of the terms named by EPL. )

Google did not immediately respond to requests for comment from InfoWorld.

Attacks using AdWords as a lure are particularly difficult to spot because users can't see the links attached to the AdWords simply by placing their mouse over the link, as they can with non-sponsored search results, Thompson noted.

"The only way to see where the link goes is by clicking on it."

EPL's software scans for malicious Web servers and warns users about suspect links on Web pages and search results.

Most desktop security programs are designed to stop malicious downloads, but have had a tough time staying ahead of organized crime gangs that attack previously unknown holes in operating systems or applications, and tailored malicious programs that may have never been seen before.

"The only way we found out about this was because our users were running into it," Thompson said.

Finding the responsible link in a Web browsing session can be difficult he said -- researchers often get hundreds of pages of search history to sort through, only one link of which may be associated with an attack. "We tend to be very interested with what's on page 1, but these things were on page 25," he said.

While the terms EPL reported to Google have been cleansed, Thompson expects that others may still be active, given that smarttrack.org is going strong.

Stay tuned...more to come.

Posted by Paul Roberts on April 25, 2007 06:16 PM

RATE THIS ARTICLE: