Google Adwords and Passive Phishing

The game of harvesting bank accounts and online identities continues to develop, and new methods are now appearing on the horizon.  Typically, phishers and malware distributors have relied heavily on spamming email lists with links to their phishing sites or websites that install malware via drive-by-download.  But there is a problem with this method-  First, you advertise your evil intentions to the world with a broadcast email, and the good guys, like the Antiphishing Working Group, will call the webhosting companies and get the phishing webserver or malware distro server yanked off of the internet.  Nowadays a phishing site has an average of an 8 hour shelflife thanks to the great work of antiphishing teams in the cyber community.

From the phisher’s point of view, he paid for a domain registration, shared space on a webserver, and probably a list of valid email addresses so he could send his spam.  While his phishing site is online, he may be able to harvest a dozen good working accounts or ID’s, and these will only work for a single targeted financial institution.

But now there is passive phishing, where no initial email is sent.  And it may take weeks or even months before a security professional notices the site.  Passive Phishing’s newest partner is Google and their adwords program.  Here’s how it works, from NewsFactor Network here:

Google has removed paid advertisements that link to 20 search terms online criminals hijacked to steal the personal identities of people searching the Internet.
 
Exploit Prevention Labs discovered the scheme on April 10 when a user of the company’s link-scanning software ran a Google search on the phrase “how to start a business.” The top-ranked sponsored search listing appeared to be from AllBusiness.com, a legitimate business, yet the hyperlink actually led to a site that attempted to install a password-stealing keylogger on the user’s PC.

“The post-logger is specifically targeting about 100 banks from around the world, by injecting extra HTML into those banks’ response pages, to try to coax extra information out of the victim,” Roger Thompson, CTO for Exploit Prevention Labs, wrote in his blog. Thompson added that this “equal-opportunity logger” happily logs all user IDs and passwords for any Web page.

Michael Sutton said an alternate and likely more effective approach involves leveraging a Web site that already receives high volumes of traffic. By using Google AdWords to generate traffic, he explained, the attackers leveraged one of the most powerful traffic generators on the Internet.

The moral of the Google AdWords hack story: “Attackers are realizing that in business, you need to spend money to make money,” Sutton concluded. “Assuming that a paid service will deter criminals is simply not enough.”

In this type of attack, the phisher only pays for his domain registration and his shared hosting.  And he pays out of pocket, or more likely, uses stolen credentials, to pay for Google’s Adwords.  And the server stays up much longer, capable of harvesting identities and account information for hundreds of online banks, not just a single targeted bank. 

Google has been under quite a bit of criticism in the past for click fraud and their inability to effectively combat it.  Now it comes out that you may not be able to trust the advertisers on popular webpages?  Google needs to authenticate their ad sponsors and certify that they are malware-free.  Want to see the exploit work?  Click here for a video by Exploit Prevention Labs.

PS:  My own ad banners are exploit-free, so feel free to click away.