Google AdSense Potential Source of Malware

6 May 2012

Technology

SecurityTechnology

Summary. Do a Google search for “Google AdSense Malware” (without quotes) and you’ll get over a million results.

In fact, before you can even finish typing the search request, Google will suggest the search for you (since it’s become so popular).

This is shown below (click here or image below for larger view).

* * *

Common Occurrence. One website administrator tells a common story that represents what’s happening to many others:

“I recently was getting a daily notice where users were randomly getting malware warnings popping up on their browser when on my site. I shut off all Google Adsense and this immediately stopped. I’ve summized that a javascript with Malware was being delivered through my google AdSense.” [source 1]

Problem Cause. Motivated to deliver more advertising (and increase profits), Google has (relatively recently) added over 550 third party advertising companies and allows them to advertise through their AdSense system. Each of these companies have many advertisers of their own. So, Google AdSense has become a funnel for a flood of ads which become difficult to check (or perhaps costly – which cuts into profits). This is an “opt-out” setting, so if you’re a Google AdSense user, you may be exposing your website visitors to malware.

How it Happens. Hackers write malicious program code into the ads. Maybe they submit legitimate code initially then change it for malicious code. Either way, those ads eventually get served up on your site. Either the ad javascript itself, or the places it takes your site visitors, or fake messages making your site visitor think their computer is infected. These ads violate the Federal Trade Commission laws on false advertising, but since everyone’s making money of it, nobody complains.

New York Times Malware. In 2009, the New York Times mistakenly served up malware infected ads.

“In September 2009, the New York Times unwittingly presented millions of their website visitors and readers with malicious advertising. Thousands of computers were infected with viruses as a result. Even in my relatively small circle of acquaintances I knew of many people effected, so the impact must have been huge. The same thing that happened to the New York Times is happening on a wider scale with Google AdSesne, but it’s going unchecked, and unstopped. There’s too much money at stake. I’ve spoken out, but nobody is listening.” – Greg Johnson
[source 1source 2]

Why It’s Difficult to Track. Because ads are served up randomly for each site visitor, an individual malicious ad may never be detected by website security scanning services such as McAfee Site AdvisorNorton Safe Web, and Sucuri.net. Only when your site traffic reaches a certain threshold will you attain critical mass of, let’s say 1,000 people of whom, 900 don’t get the malware ad, 90 get warned that your site has malware and never visit it again, 10 who get infected, but never figure out where or how. Out of the 100 who get served the malicious ad and either get infected or warned not to visit your site, there might be one who goes out of their way to make contact with you (probably through some other channel than  your site such as Facebook) and says, “Hey, I just wanted to let you know, my antivirus software told me your site is infected.” This begins a time consuming and perplexing polite exchange of emails in which  you are never able to reproduce the problem.

Decline in Site Traffic. A good sign that this is happening to your site will be if you notice a significant drop in your site traffic for no reason. As explained above, you probably won’t ever get warned that it’s happening.

Problem Solution. It’s probably the case that Google AdSense direct advertising partners are trustworthy, but many of the third party advertising agencies don’t have quality checks in place. One way to fix this problem is to manually place ads in your site (but that’s a lot of work to keep updated). Another fix for this is to login to Google Adsense and then go to the allow & block ads page for third party advertisers. First turn off the default setting to “Automatically allow new Google certified ad networks.” Then, click the “block all” button to block all 550+ advertisers, and then go through to select a few that seem trustworthy.

Warning. Most websites larger than ours probably wouldn’t take the time to investigate or do anything about it. Disabling potentially harmful advertising reduces profits, but we believe it’s the right thing to do. Unfortunately, many other sites out there won’t do the same as we have done. So, be sure you annually upgrade to the newest version of your antivirus software and make sure its updated regularly.

__________

Thanks. Out of about two million visitors to our site, we know of only two people who were warned by their antivirus software about malicious content on our site. Because two out of two million seemed too high, we began investigating this, and discover what is reported above. We’re deeply grateful to these two people (Pat T. and Wally G. )who took the time to correspond with us as we investigated this further.

,

About Gregory Johnson

Greg Johnson is a freelance writer in Iowa City and also the founder and Director of the ResourcesForLife.com website. He also manages IowaCityWebDesignArtist.com and many other topic specific websites.

View all posts by Gregory Johnson
%d bloggers like this: