Google Adwords redirect exploit

In a worrying development for Google Tuesday , Roger Thompson CTO of Exploit Prevention Labs in a blog post reported exploits of the Google Adwords system.

Exploits such as these unless prevented threaten the whole structure of Adsense and Adwords.

Exploiting the Google presentation of Ads
When Google serves sponsored sites ads the URL that the user sees in the advert is not the URL that the user is directed to when they click the Ad. This is the normal functioning of the Adwords system. It allows Advertisers to show their main URL on their advert but to direct users to a specific page when the user clicks the Ad.

Normally when you roll your mouse over a URL you will see the URL address that you are about to click through to. For sponsored Ad results however this URL is not shown.

Better Business Bureau and Cars.com exploit
Users encountering the exploit would find that clicking on the exploit Ads for the Better Business Bureau or cars.com will take them to a real site - but - in passing they are first taken to a malicious site www dot smarttrack dot org which tries to install a backdoor keylogger which would give access to information about the users online banking transactions for certain online banks. This redirect via the malicious site will not be apparent to the user before they click the Ad because Google Adwords URL's are not shown as explained above.

This must be a worrying development for Google because any loss of customer confidence in the safety of Ad links could potentially send click through rates crashing and cause major problems for not only for Google but also for many webmasters who have income streams from Adsense and who rely on Adwords click throughs for site visitors.

It is vital that Google deals with this exploit threat robustly both for their sakes and for the sake of those who depend on Click through from the Adsense/Adwords advertising model