DefCon: Google Ads Phishing Security Alert

DefCon (http://www.defcon.org) is a large annual hacking conference that attracts corporate security personnel, federal agents, and of course, hackers.  DefCon is significant since hackers use DefCon as a forum to unveil security vulnerabilities in tools and utilities we use daily.  The first day of this year’s conference, DefCon 13, is no exception.

The focus for the presentation “Hacking Google AdWords” by StankDawg (http://www.stankdawg.com/) was how to effectively use the Google AdWords system to maximize your visibility on the Google site.  The competitive commercial applications alone made this talk interesting.  However, tucked in this presentation was the shocking revelation that anyone with a credit card (including one time use credit cards) can create a Google advertisement that is a convincing phishing attempt.

As a quick background, AdWords is a Google Program through which an individual or corporation can purchase keyword search terms.  When anyone searches with those terms, the purchased ads appear on the right hand column of the Google search results.  When you purchase an ad, you provide a title, summary text, and a link to your site.  For convenience, Google allows you to provide a destination for the link that differs from the displayed URL for the link in the ad.  This is useful for you to create a special page specifically for Google users.  However, the destination URL does not have to have any relationship with the link that is displayed on the ad!

This allows malicious advertisers to create fake web sites for the purposes of gathering personal information (one type of “phishing”).  Let’s say there was a bank “Example S&L” that allowed on-line banking services.  A phisher can create an advertisement with the search term “Example S&L” that has an appropriate title, appropriate text, appears to have a link to “www.examplesandl.com”, but really points to “www.phishingexamplesandl.com” (or more subtly, “www.examplessandl.com”).  The result is that a person who is not paying attention could search for “Example S&L”, see the top paid advertiser that looks like a legitimate link to “Example S&L”, click on it, be presented with a fake login page, and unknowingly provide their login information to a phisher.

For Google, a solution could be to at least ensure that the domain of the destination URL matches the displayed URL (or simply have the destination and displayed URL match).  For the rest of us, the main lesson learned is that as Web users, we need to utilize constant vigilance to ensure that the URL in the “address” line is what we expect before entering any personal information.