Entrepreneurial hackers buy sponsored links on Google
Ad links sidetracked users, installed password stealer
Computerworld - A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed yesterday by a security company.
According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords.
"It's quite an investment on the bad guys' part," said Thompson. "Instead of just hacking into sites, they bought keywords."
Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC.
MDAC has been patched three times by Microsoft Corp. in the past three years, most recently in February, when the vulnerability was rated critical.
Once the malware was installed on unpatched PCs, smarttrack.org pushed the user's browser along to the real destination link. "It was pretty clever; the sponsored link takes you to the real page," said Thompson. "You'd never know." The post-logger, however, knew plenty. According to Thompson, it targeted users of about 100 different banks, injecting extra HTML into those banks' pages to entice extra personal information out of the victim.
Exploit Prevention Labs first spotted the hack on April 10. Fortunately, the scheme was short-lived. "There was obviously a lot of planning that went into it, but I think the site had only been live for a little while. They registered the [smarttrack.org] domain on April 2." The domain was registered using an anonymous registrant service that masks the name and other information of the person who purchased the URL.
The attackers, said Thompson, profited from a Google design quirk. When users pause the mouse cursor atop a sponsored link, the full URL does not appear at the bottom left of the browser window, as it does when pointing to a link in the search result list. "This means that a user has no clue where she is about to navigate to," said Thompson.
Yahoo's search engine does the same, but rivals, including Microsoft's Live Search and Ask.com, reveal the complete URL of all links, sponsored links included.
Google, which was not available tonight for comment, has removed the malicious sponsored links for the 20 or so search strings that resulted in bogus ad links to smarttrack.org, said Thompson.
Read more about Security in Computerworld's Security Topic Center.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- The business impact of BYOA: Five major challenges and how your enterprise can solve them This E-Book reviews five major challenges of BYOA with key subject matter experts and outlines how businesses can solve them.
- BYOA: Embracing the Opportunity, Controlling the Risk This whitepaper explores the shift from BYOD to BYOA (bring-your-own-application) and how IT departments today can address this new change in the IT...
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!