AdWords Phishing #2

Posted by on Aug 11, 2014 in Malvertising, Phishing

A reader sent me an email asking me to clarify the following statement from my last post:

“AdWords credentials are big bucks, more so if you phish a premium account.”

Platforms the likes of AdWords are constantly under attack. It’s astonishingly simple to verify this for yourself:

  • Head on over to google.com
  • Search for “adwords login”
  • Note the first ad

adwords_phishing_1

Inconsistencies with the first ad:

  • Display URL is for www.acefingerprint.com
  • Destination URL is for roofing-contractors-toronto.com

Clicking on the ad will land you here:

adwords_phishing_2Doesn’t get any easier than that to find someone attacking AdWords. Now remember, an attack on AdWords is an attack on all of the users of AdWords (Google’s advertisers). If Google is at the very least trying to protect their own vertical from abuse (their advertisers), then they’re not doing a very good job at it.

Once an attacker has valid AdWords credentials there are a few ways to monetize:

  1. Sell the account. Forums to sell a compromised account of this nature are in no short supply.
  2. Sell the traffic. The attacker brokers a relationship with someone who wants to buy traffic at a discount rate. This relationship most likely exists before the account was compromised. Attacker can offer huge volumes of traffic at ridiculous prices because the traffic she is selling is stolen (much like buying selling goods on the black market). Attacker can either modify the keywords of the compromised account to send targeted traffic, or just roll with what the account has anyway and maybe increase the bid price.
  3. Target a specific vertical and launder the traffic. At the end of the day, with a compromised account the attacker has free traffic. If it’s a premium account then the attacker has huge volumes of free traffic. An example of a premium account would be an advertiser who spends $10,000 a day on ads. When you’re dealing with the massive volumes that such a budget will bring, one has only to steer the traffic towards a somewhat probable monetization path and the machine will take care of the rest. For example, advertiser could set himself up as an affiliate in the Payday Loans vertical.¬†Attacket then sets up an AdWords campaign in the Payday Loans vertical and sets her bid price to crush everyone else (it’s not her money, so why play nice?). Attacker funnels traffic from this campaign to a legitimate buffer site which launders traffic and forwards it on to the merchant facilitating Payday transactions/leads. Some of these will convert, which in turn will pay the attacker.

What’s still somewhat puzzling is why Google is not protecting their own vertical. If an AdWords account is compromised then the advertiser is going to lose money on ads that she did not purchase. If the advertiser loses this money then the advertiser is going to seek a refund. If the advertiser gets the refund then Google is going to lose money. If Google loses money then it’s within their interest to protect this vertical.

Of course, the simplest answer here may be that the cost of protecting this vertical (or any vertical) outweighs the cost of just issuing refunds in the event of a compromise. That’s fine from a pure monetary perspective, but what of the bad press that comes from posts the likes of what we saw on Reddit, or the future revenue lost from an advertiser who has had enough and shifts to an advertising platform that does invest in protecting their own vertical and those of their clients.

« »