Network News

X My Profile
View More Activity

Google Ads Lead to Phony Apps

Web security firm Websense is warning that scam artists have hijacked Google's sponsored links to spread rogue anti-virus software. While this type of attack is not new, I was amazed to find how deeply Google's ad program appears to be infested with this crud.

Websense's alert shows how following sponsored links generated by searches for popular software titles may not be such a hot idea. Their investigation of the sites served up at those links took them through what appears to be a long and convoluted effort to trick visitors into installing bogus security software.


Websense discovered the scam after searching for WinRAR, a popular tool used for archiving files and folders. Interestingly, when I searched for WinRAR just a few minutes ago, I found two different sponsored links to sites that offered up a version of the program that came with a malicious keystroke-logging program attached, according to a scan of the downloaded file that I ran at VirusTotal.

I Googled for "Firefox" and found a single sponsored link to the right, which leads to a site that collects your e-mail address, and then on the next page prompts you to pay for the free browser.


Ditto for Adobe's Flash Player, which generated sponsored links that led to:


Which, in turn, leads to a similar payment page:

Picture 20.jpg

These scams succeed because people fail to download programs directly from the vendor's site. In the scam Websense highlighted, the perpetrators used a fake page. This leads me to my second most-uttered tip: If you didn't go looking for it, don't install it. If you did search for it, make sure you're really at the site you think you're visiting. Free tools like Netcraft's anti-phishing toolbar and McAfee's SiteAdvisor make it easy to check this information.

By Brian Krebs  |  December 16, 2008; 4:53 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft: Emergency Patch for IE Flaw Coming Wednesday
Next: Hijack May Have Affected 160,000 Users


Instead of using WinRAR and WinZip use

7-Zip at this location.

Posted by: | December 17, 2008 2:01 AM | Report abuse

Anyone besides me IRRITATED with SeaMonkey's most recent release 1.1.14 ???

Did I miss something, or where should I type ''

Also how do I go backwards and forwards with the non-existing arrows.

I am aware that I can find these options under 'View," "Sidebar," etc. but where are they on the top of the browser -- DA ???

Posted by: | December 17, 2008 2:06 AM | Report abuse


The 'show/hide' function under view already has the navigator, personal, component and status bars checked, but either way nothing changes and the 'new' MORE button doesn't help either.

Ugh !!!

Posted by: | December 17, 2008 2:13 AM | Report abuse

Bruce, you may want to post your query in the SeaMonkey Google Group:

Several people have posted queries in the "SeaMonkey 1.1.14 released" thread, and they're getting quick responses there.

Google Groups is often a good starting place when you're trying to find the answer to a vexing computer problem.

Posted by: Heron | December 17, 2008 1:02 PM | Report abuse

Bruce, nice to see you again. And thanks for NOT POSTING IN ALL CAPS! Makes for a much calmer discussion.

Posted by: BTKrebs | December 17, 2008 3:30 PM | Report abuse

Just don't click on the Google ads.

Posted by: Heron | December 17, 2008 3:30 PM | Report abuse

Brian & Heron

Thanks !!!

I'll try the Google site without the ads.

布赖恩& 苍鹭 感谢!!! I' ll尝试没有广告的谷歌站点。

Posted by: | December 18, 2008 10:19 PM | Report abuse

I do not use google, never have never will.

Posted by: mmcgrane | December 19, 2008 9:26 AM | Report abuse

We use Google, but we've installed the Firefox add-on CustomizeGoogle. It blocks ads and stops Google from keeping track of our search behavior.

Which search engine do you use, mmcgrane?

Posted by: Heron | December 20, 2008 10:11 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company