Entrepreneurial hackers buy sponsored links on Google
Ad links sidetracked users, installed password stealer
Computerworld - A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed yesterday by a security company.
According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords.
"It's quite an investment on the bad guys' part," said Thompson. "Instead of just hacking into sites, they bought keywords."
Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC.
MDAC has been patched three times by Microsoft Corp. in the past three years, most recently in February, when the vulnerability was rated critical.
Once the malware was installed on unpatched PCs, smarttrack.org pushed the user's browser along to the real destination link. "It was pretty clever; the sponsored link takes you to the real page," said Thompson. "You'd never know." The post-logger, however, knew plenty. According to Thompson, it targeted users of about 100 different banks, injecting extra HTML into those banks' pages to entice extra personal information out of the victim.
Exploit Prevention Labs first spotted the hack on April 10. Fortunately, the scheme was short-lived. "There was obviously a lot of planning that went into it, but I think the site had only been live for a little while. They registered the [smarttrack.org] domain on April 2." The domain was registered using an anonymous registrant service that masks the name and other information of the person who purchased the URL.
The attackers, said Thompson, profited from a Google design quirk. When users pause the mouse cursor atop a sponsored link, the full URL does not appear at the bottom left of the browser window, as it does when pointing to a link in the search result list. "This means that a user has no clue where she is about to navigate to," said Thompson.
Yahoo's search engine does the same, but rivals, including Microsoft's Live Search and Ask.com, reveal the complete URL of all links, sponsored links included.
Google, which was not available tonight for comment, has removed the malicious sponsored links for the 20 or so search strings that resulted in bogus ad links to smarttrack.org, said Thompson.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts