Sunday, May 13, 2007

Google pulls malicious sponsored links

Google has removed paid links that advertised seemingly legitimate Web sites but actually tried to install nefarious programs on PCs.

The links were displayed as "sponsored links" after visitors entered specific queries into Google's search service. Clicking the links would ultimately go to a legitimate site, but by way of another site that attempted a "drive-by installation" of password-stealing software. Miscreants placed the links using Google's AdWords service for advertisers.

"Google identified and canceled AdWords accounts displaying ads that re-directed users to malicious sites," a company representative wrote on a corporate blog on Thursday.

The malicious links appeared after people searched for terms related to the Better Business Bureau and cars, according to Exploit Prevention Labs, a security company. All the paid-for links masqueraded as legitimate sites and redirected Google users to the actual sites after sending them to smarttrack.org, which served up the malicious code, Exploit Prevention Labs said.

"We detected about 20 different search strings that resulted in links to smarttrack.org," said Roger Thompson of Exploit Prevention Labs. "There were multiple ads linking to a single site, a high level of planning, and cunning by the bad guys."

Web threats are on the rise. Security firm Trend Micro predicts that by next year, Internet users can expect more cyberattacks to originate from the Web than via e-mail. The threat hasn't gone unnoticed by the security industry. Tools such as Google's Toolbar for Firefox or Google Desktop, Exploit Prevention Labs' LinkScanner and McAfee's SiteAdvisor can offer protection by blocking known bad sites or rating search results.

Google is looking at its AdWords practices to prevent similar incidents in the future, the company said. "This is an issue we've taken very seriously and will continue to monitor," it said. "We are also evaluating our systems to ensure that the appropriate measures are in place to block future attempts."

No comments: