Hackers turn to search engine sponsored links

 

Gallery

By Rene Millman

Posted on 30 Apr 2007 at 12:59

According to security researchers, cyber criminals are using Google Adwords to infect unsuspecting users.

According to security software developer Exploit Prevention Labs's team of researchers, malware is being distributed under the guise of adverts for legitimate, trusted organisations. Instead of connecting to these legitimate sites, users are redirected to malicious sites that attempt to install exploits and other malware.

'We've been watching an interesting puzzle for a couple of weeks now, and last night the last couple of pieces fell into place,' said Roger Thompson, chief technical officer at Exploit Prevention Labs. 'Since 10 April, our community intelligence network has been finding exploit detections seemingly at household name sites like the Better Business Bureau and cars.com, but they are actually coming from a place called smarttrack.org masquerading as one of the legit sites.'

He said that researchers at the company discovered that one of these rogue links was the number one sponsored link when people entered the phrase BetterBusinessBureau into Google - (link see the case study here).

While users eventually get directed to the legitimate site, it takes the unwary user through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on the user's system. 'The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim,' said Thompson.

He said that while links to malware sites are nothing new, it does highlight a significant issue. While passing the mouse arrow over a normal result shows the URL a user is about to click on, no URL preview is shown on sponsored links.

'This means that a user has no clue where she is about to navigate to,' said Thompson. 'Savvy search engine users will know that often these sponsored links will take you through a "Click-manager" or other advertising service and so seeing your browser pass through smarttrack.org will appear benign enough.'

He said that Google has since terminated that particular Adwords account but the researchers have found another 20 different search strings that resulted in links to smarttrack.org. 'It is not yet clear if all the links have been cleared up,' he said.