Google AdSense Used for Malvertising Campaign Using Fakes Of Reputable Website

Google Adsense Ads redirecting users to scam websites impersonating reputable magazines and blogs that sell shady health products

Researchers have discovered that at least two AdWords campaigns which seem to have been hijacked by cybercriminals.  These cyber criminals had modified the legitimate ads to redirect visitors to websites which are selling shady health products.

Denis Sinegubko of Sucuri stated that at least two AdWords campaigns have been hijacked by scammers who modified legitimate ads to automatically redirect visitors to scam sites once they get displayed (no clicks required).

The malicious redirect worked even in the Ad Review Center of the Google AdSense dashboard on google.com site where webmasters may view ads that Google displays on their sites. This problem existed for about a month since the second half of December 2014, but became really widespread last Friday (Jan 9th 2015). He added that Google had stopped the two AdWords campaigns by weekend.

Top websites cloned

https://blog.sucuri.net/wp-content/uploads/2015/01/fake-sites-small.jpg
(Image Credits: Sucuri)

 

The scammers used domain and subdomains of lemode-mgz .com site to spoof top reputed websites like Forbes, Good Housekeeping and Fit Mom Daily. In some cases another domain used was consumernews247.com .  Researchers noted that in all cases the symptoms were the same. Some users were randomly redirected when they clicked on links or loaded new pages. They all reported that the new page would show up for a second or two and then it would redirect them to those magazine websites.

Sucuri blog notes, “The redirects were platform and browser-agnostic – Windows, Mac, Linux, mobile browsers – they all got redirected. However, while some visitors regularly saw those redirects and even complained that the websites were barely usable because of them, other visitors have never been redirected.”

Almost all spoofed pages showed fake articles which promoted skin care and anti-aging merchandise, IQ and brain enhancers, as well as weight-loss products.

In all, Sucuri noticed following domains used for this particular malvertising campaign

  • lemode-mgz .com — Created on 2014-12-14
  • securevoluum .com — Created on 2014-12-15
  • wan-tracker .com — Created on 2014-12-14
  • consumernews247 .com — Created on 2013-09-02 Updated on 2014-12-24 (there are no references before December 2014)
  • track .securevoluum .com is an alias for hfrov .voluumtrk .com and voluumtrk.com was created on 2014-08-06.

Sucuri stated that the ads looked like the products were endorsed by celebrities and and click bait headlines about scientific researches. The fake article also had lot of fake comments about how those products really helped someone.

As per the timeline provided by Sucuri Blog, the entire malvertising campaign lasted for about a month. The ad account from which the AdWords campaign originated belonged to an anonymous advertiser and Blackburn ART with ads pointing to rgeoffreyblackburn .com site.

1 COMMENT

  1. These redirects still exist as of 2015-10-12.

    These domains are registered by Dynadot. However, the abuse@dynadot.com is 0xDEADBEEF. I sent it twice hoping that it would be addressed. Instead, the emails bounced with a permanent failure error, not mail quota reached (i.e, mailbox full) or anything reasonable.

    So I forwarded it to their ‘general’ info@dynadot.com address saying they are not in compliance with RFC 2142 and ICANN will be notified.

    These unexpected redirects while I’m browsing are uncomfortable at best. Death to scammers!

    (By the way, the registrant thinks s/he can get away with it because they’re a Polish resident [PL is Poland, I think].)

LEAVE A REPLY

Please enter your comment!
Please enter your name here