Tuesday, April 24, 2007

Google sponsored links not safe?

Hi folks,

We've been watching an interesting puzzle for a couple of weeks now, and last night the last couple of pieces fell into place. Since the 10th April, our community intelligence network has been finding exploit detections _seemingly_ at household name sites like the Better Business Bureau and
cars.com but are actually coming from a place called smarttrack.org
masquerading as one of the legit sites.

Google searches such as the phrase BetterBusinessBureau OR "Florida Business
Opportunity Law" or "Modern cars airbags required" will turn up these
dangerous sites (more on that below). Last night our researchers discovered that one of these rogue links was the number 1 sponsored link when people entered the phrase BetterBusinessBureau. See here. It looks safe, but a mouse-over our red verdict reveals the truth.

It sure looks like it will take you to a BBB website, and that's where you end up. Here's a screensnap of the result.

First, however, it takes the unwary traveler through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on your system. The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim. (Although it specifically targets those 100, it is an equal-opportunity logger and happily logs all user ids and passwords for any webpage.)

Also, because the post logger is a browser helper object, it is part of the end-point of any SSL transaction, and can see everything in plain text, instead of encrypted.

Now, lots of links in any search engine point to infective sites, so that's not really a surprise, but this does highlight a significant issue. When you move the mouse over a normal, organic search result, google shows the url you are about to navigate to if you click. See here.

If, however, you mouse-over a sponsored result, no URL preview is shown! This means that a user has no clue where she is about to navigate to. See here. Savvy search engine users will know that often these sponsored links will take you through a
'Click-manager' or other advertising service and so seeing your browser pass
through smarttrack.org will appear benign enough.

Fortunately, google seems to have terminated that account as of about 11am est, but we detected about 20 different search strings that resulted in links to smarttrack.org, so it is not yet clear if all the links have been cleared up, but LinkScanner and SearchShield will surely reveal that over the next few days.


Cheers

Roger

Labels:

7 Comments:

At 6:19 AM, Blogger CustomizeGoogle said...

If you're using the Firefox extension CustomizeGoogle, then all links will be visible by default. http://www.customizegoogle.com

 
At 7:35 AM, Blogger Conrad Longmore said...

What a coincidence, I saw this recently too in the UK on a search for "trampolines", the ad is still active.

See here for a synopsis of what I found.

 
At 1:29 PM, Anonymous seekXL said...

Hello Roger,

i hope it´s okay, that i use three of your pics, for a german version of your blogposting. if it´s not okay, please send me a mail and i delete it.

greetings from Germany :)

André

 
At 10:20 AM, Anonymous Anonymous said...

Hmmm... The fraud department of my credit card provider call me today to investigate some unauthorized activity. That included a $1 *unbilled* transaction by Google ad words. Any connection?!?

 
At 5:36 PM, Anonymous Anonymous said...

Well, I found that after doing a whois search on smarttrack.org, it seems to have a connection with privacyprotect.org. Though, does anyone know what happened to any one of those exploiting sites?

 
At 3:48 PM, Blogger Mister said...

Does this mean that I probably don't want to visit smarttrack.org?

 
At 3:07 PM, Blogger Roger Thompson said...

That would be the case. Fortunately, it's been offline for a while now.

 

Post a Comment

<< Home