Somewhere in the last two months of 2014, scammers appear to have hijacked a few AdSense accounts and began using them to send people to fake, but legitimate looking, sites. The sites were modeled to look like popular and trusted websites, like Forbes and Good Housekeeping, and they contained articles about products that were able to “help you lose 21 pounds of stomach fat in just a month!” The articles also contained fake comments from people that the miracle weight loss method, anti-aging treatment, ect. worked wonders for.
How the attack was discovered
Although the problem had been going on for about 2 to 3 months, Google didn’t really start getting serious about resolving the issue until the ads started causing major and noticeable problems. According to Denis Sinegubko on the Sucuri Blog, they noticed a sudden uptick in the number of requests they were receiving to scan for malware on websites.
There were several oddities that made it pretty obvious that this wasn’t just a few websites that were infected with regular malware. Despite the fact that the websites that Securi scanned were clean, people visiting the sites were being redirected to one of a number of fake websites. Most people ended up at a page on lemode-mgz .com, although some ended up at consumernews247 .com or wan-tracker .com.
After some Google-fu, Sucuri discovered this Google Support Thread, and it has well over 200 replies, many of which are people complaining about how the redirecting ads are preventing people from viewing their website properly. At this point, it was determined that the issue wasn’t the websites that people were visiting; it was the ads on the websites people were visiting. The ads had built in scripts that caused many visitors to be redirected, even if they never clicked on an ad.
How the scammers did it
There are several reasons to believe that the scammers took over legitimate accounts, including the fact that both previously displayed legitimate ads, for rgeoffreyblackburn .com and adwynne .com, respectively. It appears that the reason people started complaining about the issue was because these accounts increased their bidding significantly to generate greater numbers of impressions, which led to greater numbers of redirects, something that is more likely if you’re spending someone else’s money. Google also drug their feet on shutting these accounts down, which also lends credence to the idea that they weren’t recently created accounts without a solid history.
As Jérôme Segura, a Malwarebytes senior security researcher, pointed out to ITProPortal:
In this case it appears as though the bad guys hijacked existing accounts, and in particular some that had large spending budgets. This is an interesting new approach for us and it does have some definite advantages [for the attacker]. For one, the criminals can still conduct their activity anonymously, since they are using somebody else’s profile.
From there, the scammers had only to inject a code into the ads that caused the redirect. If you’re wondering how this could be so simple yet so hard to track down, Sinegubko explains that:
… [O]ne third-party ad network script usually loads content from dozens of other partner networks and trackers behind the scenes. For example, recently we worked with a site whose homepage had scripts from 8 different third-parties (ads and widgets) — when loaded in a browser, that single page generated over a thousand HTTP requests to resources on 249 unique domains — 99% of which belonged to various ad networks and trackers.
Google still in clean-up mode
The flood of complaints appears to be what finally spurred Google to do something about the problem, although many people on the forums noted that they had complained well before the dam broke in the first week in January. Once the source of the issue was finally nailed down (and the shouting had gotten loud enough) Google started responding to people, and one forum poster shared this reply from Google support:
“This ad is a known bad ad and our malvertising team is actively working on blocking it across the network as we speak. In addition to blocking it via your account, please do file feedback directly with AdWords here: https://support.google.com/adwords/troubleshooter/4578507”
People are also encouraged to turn of Flash based ads if their site starts to experience the problem, and text based ads seem to be completely free of malvertising issues.