Breaking News! Google AdWords Exploit Seen in the Wild! Yikes!
Today, my aunt Sue did a google search for “ebay” and got this…
See the ad for ebay at the top of the results? Not particularly interesting, right?…
The google provided link text says ebay, and overing over the link shows ebay. But a careful look at the source shows this…
The person who bought that ad cleverly injected a link to very NOT ebay. The link is to here (posted as image so you can’t accidentally click it)…
Yikes! Yikes! There is no way you could tell that link was not going to ebay without clicking it, and in fact the link text says “ebay.com” which is supposed to be checked against the actual target link by adwords. Yikes!
When you click on the link, you end up here…
Quadruple yikes!
Normally when I get a call like this, I assume that the person calling did something wrong like installing software or clicking on a wrong link.
In this case my Aunt Sue didn’t do anything wrong – google did!
Worse, the person who paid for this ad specifically targeted old people!!!!
…and seems to be from ebay!
Google: you really need to fix this! Make sure that link text matches the link target, and also give me a button to check who paid for an ad!
This instance was fixed as of 10PM ET tonight, but google still really needs to add some transparency for us ad viewers. How can I know that a link is OK if I can not tell where it goes before I click on it? Especially troubling that in this case the displayed link was unrelated to actual target link- not even the same domain. I also should be able to see who posted the ad so I can spot attack attempts.
It is common to see redirects going to several ad-tracking services before the final destination. So, it is possible the ad passed the domain checks when the ad was written, then one of the redirect domains goes to the malicious domain thereafter. It is hard to say. Unless Google makes a specific policy to only redirect to the domain advertising, I don’t see how you can prevent this. Many businesses might rely on third-party services for metrics and actually creating the adwords that it likely be a big money loser for Google if they set this kind of policy.
AdWords policy explicitly says destination URL must match link URL, and when I try to create an ad that goes to a different domain than the link text AdWords will not let me. They will not even let me link to a domain that I do not own even when the link and target match (which is a real hassle because I can not, say, advertise an Amazon product or an ebay listing). I think the above problem was the result of a weakness in the Adword URL filter that has since been fixed. All agreed that google has a HUGE incentive to make sure people are not scared to click on links in ads! This is likely the most important trust moment in the entire google ecosystem!
Google Ads final URL policy. (highlight added)…
Good spot but you can use a tracking url in adwords. Sunk818 is correct. This happens occasionally and is really just a MITM attack not a Google flaw
If clicking on a link in an ad brings you to a completely different domain than the link text, then there is a BIG problem. Super duper big problem when the link text says “ebay.com” and the destination page is an attack site on “devices-full-of-infected-files-application.azurewebsites.net”!
As far as I can see, all ad click urls have are first sent to google.com/aclk?. This issue is more likely to be a MITM attack on one of the JS resources or redirects within ebay and is likely not google’s fault.
Certainly possible. I wish I had grabbed a snap of the network trace when this was still happening to see the exact route of the redirects, but no matter what google should always be checking that the final destination page at least matches the link text domain!
how can Google check the destination when people cloak it so Google sees what the person who is doing the MITM wants them to see?
Google has a little bit of technical capability when it comes to following URLs… :)
How did you verify that this wasn’t due to host-based malware? The domain used has been used in redirect malware since 2017 if not earlier. Normally this involves a running process on the victim’s PC.
Asking for the purpose of making your article clearer.
I logged into aunt Sue’s google account from a clean chrome install in incognito in a clean Windows VM, did Google search for “eBay” and then clicked on the ad and boom! No chance this was happening on the client.
Is there something I’m missing here? You’re saying that, on hover, it displays a URL target that’s different from what the href actually goes to. But you never show that in any of your screenshots. That’s a much bigger issue than the cut-and-dry “HTML element text doesn’t match the href” thing that you’re calling for Google to fix. Can you confirm that it actually does show the ebay URL as the target when you hover over the link? Because that’s the bit that I’m inclined to not believe here.
Yes, I can confirm on hover the link in the ad displayed the target URL of “ebay.com”, but that is not particularly relevant since google ads routinely show one target and then when the link is actually click they send you to a different (typically an ‘/aclk’) URL. Try it right now – do a google search that brings up an ad, turn on dev tools and activate network trace, then click on the link and see where you go.