Security Watch

Keeping Track of patches and hacks in the IT security world.

Google Stomps Out Malicious Sponsored Links

Google has shuttered AdWord accounts that have been serving up malware while masquerading as known and trusted sites, such as Better Business Bureau and

One of the malicious sponsored AdWord sites,, was showing up as the top sponsored result as of April 23 when Exploit Prevention Labs Googled the word "BetterBusinessBureau." (For a screenshot, click here.)

A user who clicked on the sponsored link would have noticed nothing unusual—merely a slight lag until he or she was brought to the legitimate Better Business Bureaus site. But in the background, the exploit installed a backdoor and a post-logger—which is a much more powerful version of a keylogger that captures an entire screen and makes it easy for the attacker to figure out which keystrokes belong to the password, which belong to the user name, what the secret question is and what the secret answer is.

Exploit Prevention Labs' community intelligence network has been reporting the exploits since April 10. Today it posted a video clip recording the exploit in real time. The security firm, which markets a link-scanning product, traced the bogus sites to the Russian malware-hosting site

Exploit Prevention Labs reported that it detected 20 distinct search strings that resulted in links to, and as of now it isn't clear if Google has managed to clean up all of the links. The EP Labs' Roger Thompson said that the post-logger was targeting about 100 banks from around the world by injecting "extra" html into the banks' response pages as an attempt to coax extra information out of its victims.

Thompson said that the post-logger is a browser-helper object, and thus part of the end point of any SSL transaction. That means it can see everything in plain text, instead of encrypted, he said.

A search engine pointed to a malware drive-by site isn't anything new, but this exploit is particularly dangerous in that mousing-over the sponsored result displays no URL preview. "This means that a user has no clue where she is about to navigate to," he said. "Savvy search engine users will know that often these sponsored links will take you through a 'Click-manager' or other advertising service and so seeing your browser pass through will appear benign enough."