Entrepreneurial hackers buy sponsored links on Google
Ad links sidetracked users, installed password stealer
Computerworld - A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed yesterday by a security company.
According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords.
"It's quite an investment on the bad guys' part," said Thompson. "Instead of just hacking into sites, they bought keywords."
Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC.
MDAC has been patched three times by Microsoft Corp. in the past three years, most recently in February, when the vulnerability was rated critical.
Once the malware was installed on unpatched PCs, smarttrack.org pushed the user's browser along to the real destination link. "It was pretty clever; the sponsored link takes you to the real page," said Thompson. "You'd never know." The post-logger, however, knew plenty. According to Thompson, it targeted users of about 100 different banks, injecting extra HTML into those banks' pages to entice extra personal information out of the victim.
Exploit Prevention Labs first spotted the hack on April 10. Fortunately, the scheme was short-lived. "There was obviously a lot of planning that went into it, but I think the site had only been live for a little while. They registered the [smarttrack.org] domain on April 2." The domain was registered using an anonymous registrant service that masks the name and other information of the person who purchased the URL.
The attackers, said Thompson, profited from a Google design quirk. When users pause the mouse cursor atop a sponsored link, the full URL does not appear at the bottom left of the browser window, as it does when pointing to a link in the search result list. "This means that a user has no clue where she is about to navigate to," said Thompson.
Yahoo's search engine does the same, but rivals, including Microsoft's Live Search and Ask.com, reveal the complete URL of all links, sponsored links included.
Google, which was not available tonight for comment, has removed the malicious sponsored links for the 20 or so search strings that resulted in bogus ad links to smarttrack.org, said Thompson.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!