RealTime IT News

Spammers Are Gaming Google's Adwords

The next time you run a search on Google, pay attention to which results you click on from the paid results area. Security experts say spammers are gaming Google's (NASDAQ: GOOG) Adwords program again in order to get malicious sites placed at the top of paid search results.

Some search results, listed to the right of organic search results in Google, contain links purporting to take searchers to the subject they are looking for, but redirect them to sites that infect their PCs instead.

In addition, the malware on those sites has been tweaked to evade detection by many antivirus applications, experts said.

If the link redirects to a site with malicious code, the tactic would appear to violate Google's own policies regarding AdWords, such as not allowing URLs in AdWords results to redirect to other URLs. Google was not immediately available for comment.

Researchers are also warning of new forms of scareware that are coming up on paid search results. Scareware is a term for fake antivirus software sites that appear to come from well-known vendors such as Microsoft (NASDAQ: MSFT).

"An attorney I know was doing a Google search for class action lawsuits regarding 2004 Ford Rangers, and clicked on the top result [in the paid search results section], which led him to a site in Poland that got him to download malware by telling him he needed a new codec to view the video on the site," Randy Abrams, director of technical education at antivirus vendor ESET, told InternetNews.com.

"If he'd read the URL closely, he'd have realized a site in Poland wasn't relevant to his search about a U.S.-based company. People have to realize that the top results from an online search are the result of people spending time and money to get them to the top," Abrams said. He was referring to the bidding process advertisers use to get their paid-search ads to show up higher than other paid-search rival's results.

In addition, spammers are now tweaking viruses and Trojans to avoid detection, Abrams said. "Sophisticated criminals don't just write or buy a virus or Trojan, they test and tweak it until it's undetectable and then they release it."

Spammers often dynamically repackage their malware using utilities so they present different signatures every time and escape detection by anti-malware applications, Abrams said. "The Storm worm, for example, was being repackaged every five minutes to escape detection," he added.

Storm created the biggest botnet worldwide through all of 2007 and most of 2008, infecting anywhere between 160,000 and 50 million computers before researchers were able to send out warnings.

Repackaging malware is quick and easy, said Ryan Sherstobitoff, chief evangelist for antivirus firm Panda Security. "All you need to do is make subtle changes to byte blocks in a hex editor within a file, and that takes about 10 minutes," he explained to InternetNews.com.

Sherstobitoff said there has been a significant increase in scareware. "If you do a Google search using the term free antivirus 2009, all the sponsored links point back towards scareware," he added. "Now, instead of stealing your banking information, these spammers infect your PC and make you pay for the fake anti-malware immediately."

ESET's Abrams said his attorney friend had downloaded a fake anti-spyware application purporting to be from Microsoft.

That could put the operator of the Web site in Microsoft's cross hairs, as the software giant has declared war on scareware purveyors. In September, Microsoft teamed up with the Attorney-General of Washington State to file an anti-scareware suit against two businesses, Branch Software and AlphaRed, and their product, Registry Cleaner XP.

"Scareware tricks users by falsely claiming that their operating systems have security, privacy, or operational flaws," a Microsoft spokesperson said in a statement e-mailed to InternetNews.com.

"This deception hurts the reputation of Microsoft by making users think that Microsoft Windows or other Microsoft operating systems have flaws when no such flaws actually exist. Many of these products also utilize Microsoft brand elements to lend authority to social engineering tactics."

Before any of these fraudsters can be removed from the Internet, it must be proven that they are operating in violation of the law, Microsoft noted.

"Enforcement of laws is the sole jurisdiction of law enforcement and government, but Microsoft is in a unique position to provide technical expertise and support." It does this by providing Governments and law enforcement with technical training, investigative and forensic assistance, and the continued development of new technology tools to combat cyber crime.

Spammers are also using traffic management to direct victims to different sites every time they click on the same link. This helps them evade detection longer.

Traffic management was used in combination with scareware in attacks on LinkedIn, a social networking site for professionals.

The spammers who hit the attorney friend of ESET's Abrams also used a combination of traffic management and scareware. "When I tried to go back to the false Ford site in Poland, it just took me to a search page," he said.

"They assume that, if someone comes back to their site again, they're a researcher, and redirect them somewhere else. That's one aspect of traffic management."