AdWords Phishing

Posted by on Aug 8, 2014 in Malvertising, Phishing

This Reddit post discusses an advertiser that is using Google’s AdWords system to phish subscribers. If you’re not security/tech savvy, what this translates to is that an AdWords advertiser is tricking Google users into thinking that he/she is the face for another legitimate Web site. The idea is to steal user credentials.

As an attacker, using AdWords just makes sense. Why go through the all of the effort of organically growing a site to place high up in the organic rankings of Google, or even compromise an existing site, when Google AdWords will place you right at the top of the organic rankings for a small fee per user that they send your way. Using the AdWords system, an attacker can then precisely tune which region they want to target and even what time of day they would like the traffic to come their way.

One of the Reddit users posts

“The fact they allow this is ridiculous.”

Google does not allow this. Note the following from the AdWords Terms and Conditions:

“Ad Serving.  (a) Customer will not provide Ads containing malware, spyware or any other malicious code or knowingly breach or circumvent any Program security measure.”

One could make the argument that Google is just protecting themselves by adding this to their terms and conditions, and nothing more. Once Google has said that you’re not allowed to do this then they can wash their hands of all of this and only take a reactive approach, i.e., shut down an account when enough people complain

Leaving this argument at just this is insufficient to hold any weight though. The one problem with it, is that by Google not proactively searching for this nonsense then they themselves are open to precisely the same form of abuse.

Google AdWords Advertiser Targets Google AdWords

The advertiser highlighted by the red arrow below is phishing Google AdWords customers, using the Google AdWords infrastructure on the homepage when searching for “adwords”

adwords advertiser phishing adwords advertisersUpon clicking the ad, the user is redirected to the following landing page:

adwordsphishingNote this landing page is obviously not the official AdWords landing page. It is an attacker trying to lure unsuspecting victims into handing over their AdWords credentials. AdWords credentials are big bucks, more so if you phish a premium account. The attacker essentially acquires a powerful means with which to print money for himself until the account is closed.

Taking a closer look at the ad, note the inconsistencies:

  • The display URL (in green) is
  • The page I landed up at is
  • The destination URL (the first URL that a user is redirected to upon clicking the ad URL) is, surely a compromised site that is being exploited as a buffer for the redirect

The trick is that it’s easy to see these inconsistencies in review of an attack, but not in preview of a new AdWords campaign. When this advertiser first setup the campaign, the display URL probably matched the destination URL and in turn the final landing page. With some time and in sampling users for an attack (selecting 1 out of every 10 for example), the attacker can slowly creep his way into the system, even if Google is proactively searching for this form of abuse.

« »