At least two Google AdSense campaigns have been leveraged by cybercrooks to redirect the visitors of numerous websites to scam pages.
The malvertising campaign started in the second half of December and lasted until a few days ago when Google finally managed to remove the offending advertisements.
According to Sucuri, users who accessed sites containing the ads, regardless of what Web browser they had been using, were redirected to bogus websites advertising various products, including weight loss, skin care and IQ enhancers. The scam sites were made to look like reputable magazines such as Forbes and Good Housekeeping.
Users didn’t have to click on the ads in order to get redirected and the malicious redirections affected even webmasters when they accessed the Ad Review Center section of their Google AdSense dashboard.
After many of the affected webmasters started complaining on the Google AdSense support forum, the search giant started taking steps to block the bad ads and advised customers to do the same from their accounts. However, as Sucuri senior malware researcher Denis Sinegubko pointed out, it wasn’t easy for webmasters to identify and block the offending ads because they were redirected to the scam sites almost immediately after the ads were displayed in the Ad Review Center.
On January 9, the issue escalated and more website owners accessed the support forum to complain. The next day, Google informed customers that its malvertising team was working on addressing the problem, but it was having difficulties because the cybercrooks were changing the destination URLs.
The most likely scenario is that the attackers somehow hijacked the AdWords accounts of two legitimate advertisers to launch their campaign. The accounts in question contain legitimate ads and Google has not suspended them after shutting down the malvertising operation. Sinegubko believes that the owners of the accounts probably didn’t have any active campaigns, which is why they didn’t notice the scammy ads. On the other hand, there’s also the possibility that the accounts were created by the scammers who added some legitimate ads to avoid raising suspicion.
Sinegubko says Google should have better control over third-party scripts because they can be used for more than just redirects.
“They can easily contain browser exploits. And even perfectly legitimate scripts may be modified if their site gets hacked. If Google doesn’t control scripts in their ads, AdSense may eventually turn into the largest malvertising platform despite of the still prevailing opinion that that Google Ads are probably the most safe ad network out there,” the researcher said in a blog post.
Another problem, according to the expert, is that malicious actors can leverage the fact that the scripts included in banners are executed in the Ad Review Center. This can be exploited to launch cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks. The scripts can also be utilized to redirect webmasters to AdSense phishing pages.
This particular malvertising campaign doesn’t appear to be limited to AdSense. One user reported seeing the same redirects triggered by ads served through the advertising network Sovrn.
Malvertising campaigns have become increasingly common because they allow cybercriminals to easily reach a large number of potential victims. A recent operation analyzed by researchers at Cyphort targeted AOL’s ad network and it affected several high-profile websites, including LA Weekly and The Huffington Post.