Google's fight against malicious adverts

Filed Under: Firefox, Google, Malware

Virus Bulletin 2009 conference
When much of the world using Google umpteen times a day as their window to the web, it's important that dodgy links appearing as search results are kept to a minimum.

Eric Davis, who heads up the anti-malvertising team at Google, has just given the keynote address on the opening day of the Virus Bulletin conference in Geneva.

Malvertising is the word that some are using to describe "malware+advertising", and typically involves criminals exploiting ad networks to their financial advantage. We recently saw a scareware campaign being distributed via malicious adverts on the New York Times website, for instance.

As Davis points out, most malware ads are made with Flash. That's not surprising - after all, most adverts are made with Flash.

And criminals also exploit known brands with their malicious adverts - creating dopplegangers of established firms or creating adverts that look respectable.

However, a bogus advert doesn't have to use Flash, and it doesn't have to exploit a third-party ad network from the site it's appearing on.

TechCrunch reported yesterday that users who Googled for "Firefox" were presented with a sponsored ad that posed as a link to Mozilla's site, but in fact directed users to a third-party site that tries to fool users into paying $2.50 per month for what should be a free copy of the browser.

Bad Firefox advert on Google. Source: TechCrunch

Although the ad looks like it will take you to Mozilla's official Firefox website at www.mozilla.com/firefox, it actually takes you to firefox.mozilla-now.com

A quick WhoIs lookup suggests that it's unlikely that this is an official Mozilla website (the registrant claims to be based in Tibet, and it seems the site was only created two days ago).

Mozilla-Now.com registration information

Furthermore, the site is abusing the Mozilla brand and Firefox name to try and trick surfers out of cash for "24/7 Expert Customer Support".

Hmm.. with so many millions of Firefox users around the world, I would think it wouldn't be that hard to get free tech support from fellow surfers if you were having difficulties with the program. That should have rung alarm bells, but because the ad looks to all intent and purposes to come from Mozilla and has been given the thumbs-up from Google it may have fooled some.

My guess is that when the shysters bought the sponsored ad they initially did link it to the real Mozilla site (which would probably have passed by Google's standard checks without any eyebrows being raised) but at some point the destination URL was switched over to the bogus webpage.

I suppose we should be grateful that the bogus webpage didn't try and install malware too.

The challenge of malicious adverts is one that is affecting more and more websites, and it's clear that right now a strong enough way of pre-filtering them before publication simply isn't available.

Google has, however, set up a website - www.anti-malvertising.com - which is designed to assist websites using ad networks conduct quick background checks, that may find evidence of possible attempts to distribute malware through advertising.

In the meantime, as the advertising industry investigates with the computer security industry how it might find a better way to handle this problem, you would be wise to keep your wits about you and ensure that you have up-to-date security on your computer checking every webpage you visit for dangerous code and links.

Update: The offending ad has been removed by Google for violating a number of policies.

* Image source: TechCrunch

, , , ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.