Paid Advertising
web application security lab

Google Ads Spread Malware

This is actually a really serious issue that was sent to me. The funny part is that I’ve known this was possible for years now and even already put it into a presentation I’m doing in a few weeks, but anyway Google’s ads have been spreading malware. A few people with Google accounts have been buying sponsored ads (no doubt with stolen credit cards/identities). It’s sure easier than getting to the top of the search results page!

Although I don’t think this signals the end of text ads, I think it’s a wise choice to consider any paid links to be just as untrustworthy as anything on the SERPs. Google, nor any search engine have been particularly good about vetting how good or bad a domain is before linking to it. Hey, money is money right? Although, I believe they will probably do a cursory scan of the domain to make sure it isn’t spreading malware in the future given the bad PR, it’s pretty easy to fool spiders into not seeing malware. So I’m not sure what actual protection this will provide.

My next thought was CSRF - if you buy a search term and include a few images to remote domains you can pretty easily get them to do things on your behalf, and it’s extremely targeted at the same time. Yah, that’s bad. Don’t trust those paid ads - it doesn’t matter if they are “sponsored” or not. As a side note, I was a little annoyed to read that Matt Cutts wants people to snitch out paid links. I think Google should look at it’s own problems before trying to hurt people’s revenue streams. At least with my paid links, I wouldn’t be risking people’s identity to click on them!

6 Responses to “Google Ads Spread Malware”

  1. ChrisP Says:

    I remember Finjan showing me a demo of their JS sandboxing feature using a simple Google search. One of the ads returned (on the right-hand side) was JS malware.

  2. Randy Charles Morin Says:

    You aren’t saying the Google ads are spreading malware, nor are you saying that there is any proof, just that you think that AdWords could be used to spread malware.

    Good old fear mongering.

  3. RSnake Says:

    Uh… read my post again, “I think it’s a wise choice to consider any paid links to be just as untrustworthy as anything on the SERPs”

    I wouldn’t exactly call that fear mongering. And what do you mean there is no proof? They have admitted it! Nice reading skills, Randy.

  4. Kevin Fernandez Says:

    I’ve never heard about it before i saw all the news talking about that, this is real threat, i was talking about it with a brazilian friend and he pointed me to this link:,89743,
    this too:,86637,
    It’s in brazilian-portuguese. Brazilian phishers were using that back in january 2006, still the problem remains, scary..

  5. hackathology Says:

    Google, please solve your problem first before snitching out any paid links. Damn!!

  6. Vinoth Says:


    Don’t worry dude big G will take all necessary steps to protect their publishers and advertiser from these kind of attacks