Terrible! My adwords account has been hacked in

[ksanjitha]

What a day to start the week...

My main adwords account has been hacked into since I last accessed it last night and they have managed to put me back by 600+ pounds while I slept.

They modified an existing dormant adgroup and added a generic keyword 'jobs' and that piled up nearly 900 clicks. Then a new US campaign was added with an adcopy as below

Good Assistants Needed
Job. DHL Mail Services
$90,000 per year. P/T
DHLMailJob.com - This domain seems to have spammer links.
Keywords were jobs , best jobs, good jobs time jobs, job s .

I have escalated the issue to adwords support and their specialist team is investigating. My "googling" since morning says that I am not the first one to suffer this.

Google may suspend my account and start a new one but I am not sure if I want to go down that path if I lose my history or more importantly QS.

What I am wondering is how it could have happened given that I am behind a router with a laptop with Windows Vista and Kaspersky Anti-Virus. The adwords account used a not so simple password which is not used anywhere else like public forums. So the whole thing makes it scary.

Now my questions are -

1. Anyone else here affected by this?

2. How they could manage this ?

3. What can I do to prevent this from occuring again ?

Thanks and Regards

Anjitha

[max99]

Thats horrible to find out, Hopefully adwords team will sort it out andkeep your account so that you keep your QS.
Good job you checked soon after, imagine what could have happened if you were away for a week when it happened :O
hope it gets sorted mate

[tbp]

Sorry to hear this!

Had a quick look round the net out of interest, and it does seem to be quite frequent.

From what i`ve read though its not a case of someone breaking into your account at google, or guessing your password or similar.

All the cases I read indicate that there is most likely something nasty on your machine, that has been downloaded accidentaly from the net. This spyware (although its not really the best description for it) because its running on your machine can see the passwords to all the sites that you use, as it can see all the traffic to and from your machine. It specifically targets adwords accounts, and sends the passwords to whoever runs it, and they ad their own adverts which when clicked refer the browser to a site that installs another copy of the spyware. This infects that persons machine and the process continues.

When your credit card is refused, stolen credit cards are used to keep the campaign going.

A lot of people have reported they can't access the domain adwords.google.com. See if this has happened to you, as it can help narrow down the particular piece of software on your PC.

As well as informing Adwords, you`ll also need to talk to your credit card provider and have your card stopped, otherwise its more than likely you`ll find a load of dodgy transactions on it!

[moredial]

Here is some reading for you.

Exploit Prevention Labs: Google sponsored links not safe?

BBC NEWS | Technology | Google searches web's dark side

Dynamoo's Blog: Malware via AdWords - is this the same dynamoo that posts around here?

Google finds malware on 1 in 10 Web sites | Tech news blog - CNET News.com - in this article you will find this link http://www.usenix.org/events/hotbots...vos/provos.pdf which is a PDF prepared by Google et al which describes how the malware is spreading.

All heavy reading but enough for me to now use browsers which are set to not load any 3rd party scripts, images or iframes. Makes for some empty sites, sometimes.

[Dynamoo]

Dynamoo's Blog: Malware via AdWords - is this the same dynamoo that posts around here?

Yup, that's me. That particular case mentioned was really strange. I glossed over some of the details at the time for security reasons.

What was happening in that instance was this: someone was targetting the keyword "trampolines" with a Google ad in the #1 position. When they clicked on the link they got through to a page that looked just like a site selling trampolines, because it was an exact copy of a legitimate site's front page.. and the fake site was itself hosted on another compromised legitimate site. The only difference was an IFRAME loading in malware which I seem to remember was on a trojanised PC somewhere.

Of course, these guys don't have to worry about how much they're paying per click as they're not really paying.

A bit of digging shows that the DHLMailJob.com site in question seems to be down, but was hosted at 85.249.132.74 in Russia along with Altarfield.com, Bestpodeals.com, Dhl-mailcorp.com and Dhlmail-us.com. That seems to be a mixture of bogus retailers and money mule operations.

Anjitha, I think the most likely explanation is that your PC has been compromised and perhaps has a keylogger installed, but it could be any one of a number of other reasons. If you've accessed your account from more that one PC, then it's possible that the other PC is compromised. Or perhaps they sent out an Adwords phishing email? No definite answers, I'm afraid.

I guess if anything it's a good reminder to other advertisers as to just how important it is to secure your Adwords account. These guys are getting to be very sophisticated.

[axod]

All heavy reading but enough for me to now use browsers which are set to not load any 3rd party scripts, images or iframes. Makes for some empty sites, sometimes.

Just use firefox, and preferably, not windows. Oh and don't use an email client, use webmail.

[moredial]

Just use firefox, and preferably, not windows. Oh and don't use an email client, use webmail.

The malware scripts sniff out browsers and exploit Firefox and Opera as well. Each malware script looks for 10 plus weaknesses.

If you have javascript and activ-x disabled you are safer. If you can block any 3rd party content then you should be safe.

I have not heard whether or not SeaMonkey is any safer for M$oft PCs.

Fortunately, Macs are still safe.

[axod]

The malware scripts sniff out browsers and exploit Firefox and Opera as well. Each malware script looks for 10 plus weaknesses.

If you have javascript and activ-x disabled you are safer. If you can block any 3rd party content then you should be safe.

I have not heard whether or not SeaMonkey is any safer for M$oft PCs.

Fortunately, Macs are still safe.

Macs and Linux are always safer for 2 reasons:
1.They are the minority - much easier for a hacker to target the masses of windoze users.
2.They have a far superior security system designed and built to be secure from the start. Not bolted on afterwards.

[Dynamoo]

The malware scripts sniff out browsers and exploit Firefox and Opera as well. Each malware script looks for 10 plus weaknesses.

If you have javascript and activ-x disabled you are safer. If you can block any 3rd party content then you should be safe.

I have not heard whether or not SeaMonkey is any safer for M$oft PCs.

Fortunately, Macs are still safe.

You can mitigate the risk by using less MS products. One problem that Vista has is the lack of availability of software firewalls and antispyware apps that XP users have access to. Macs (and Linux machines) are vulnerable too, just lest often exploited.

Seamonkey is closely related to Firefox, so often they have the same holes.

Here are some general tips:

• Internet Explorer is usually the biggest weakness on a system. Using Firefox, Opera, Seamonkey or another non-MS browser can help a lot.
• Java is a serious security threat. Always make sure you have the latest version (go to java.com to check) and remove the old versions from add/remove programs
• Adobe Acrobat and Flash are vulnerable too, you need to keep those up to date
• Email clients are a particular problem. Outlook Express and early versions of Outlook (i.e. 2000 and before) are particularly dangerous. Thunderbird, Eudora or any one of a number of other clients can help.
• Out-of-date Microsoft applications can cause a problem. I know a lot of people still using Office 97 which is very dangerous. Office 2000 needs to be updated manually (not through Windows Update). The later the version, the safer it is.
• Instant Messaging clients. Just say no. Very dangerous indeed.
• VOIP applications such as Skype can be useful but MUST be kept up to date
• Peer-to-peer apps can be very dangerous. Make sure that they're properly secure and shut them down when not needed.
• Always view unsolicited email attachments with suspicion.
• Software firewalls such as Kerio or Zonealarm can secure outbound connections as well as inbound ones which can help to limit the damage.

The Secunia Software Inspector is a really great free tool for inspecting your Windows PC (requires IE to run). I would recommend that *everyone* uses this tool from time to time to check their system for vulnerabilities.

One last thing - the chances are that the bad guys were specifically looking for AdWords customers. I suspect that the most likely form of attack was a "spear phishing" email which either had a malicious attachment or link to a bad site. Statistically, the number of Adwords users in the general population is very small, so they might use a targetted approach for better results.

[ksanjitha]

Thanks for all the valuable advice.

As it stands, I have re-installed the OS and other software. I got rid of the kaspersky. I have not any changes to the adwords account other than the password as it is presumably under G tech team investigation. I plan to change the login account after hearing from them today.

I use firefox all the time but my 3 year old son needs internet explorer for CBeebies as I couldn't get the flash plugin to work with Firefox.

Though he can't type URL's he tries, so I suspect he would have tried typing in which ended up in some nasty site which would have installed a keylogger or some sort of remote access software(passwords were stored in firefox).

Credit cards have "spending trigger" so anything other than adwords they ask for telephone/online authorization. Still I'm keeping an eye on them.

All in all, when I think about it , it makes me very nervous.

Thanks
Anjitha

[tbp]

I did read today about an ad network that displayed adverts on many popular legitimate sites, that was displaying a malicious ad that downloaded a trojan through a flash movie.

If your computer was unpatched, it could have easily have come from something like this, and you could have been infected from going to a perfectly legitimate site rather than a dodgy one.

[moredial]

I did read today about an ad network that displayed adverts on many popular legitimate sites, that was displaying a malicious ad that downloaded a trojan through a flash movie.

If your computer was unpatched, it could have easily have come from something like this, and you could have been infected from going to a perfectly legitimate site rather than a dodgy one.

These ads have been around for some time and are popping up all over the place - usually of the ppv variety. If you spend too long on these sites (images / video / flash) then you start to be offered the lower cost ads from far flung agencies just to fill the gaps and so as not to repeat the ads to you the visitor. Not all agencies keep an eye on each URL an ad redirects you to before you see the advertiser's information.

[gunneradt]

this sounds like a keylogger to me

[ksanjitha]

There is no end to my misery. The "Google Specialist Team" after their investigation cancelled the account and I was left high and dry.

Now I feel the biggest was complaining to them. The so called account manager doesnt seem to have a clue how difficult it is to build an account up from scratch as he was convincing me to start a new account. I have finally asked them to withdraw the complaint and re-instate the account as it is as losing 600+ pounds is nothing compare to what I stand to lose!

Does anyone here know the escalation channel within Google? Because I think there is no point in talking to the "account manager".

Thanks
Anjitha

[moredial]

Have you removed the keylogger off your computer yet? No point doing anything with your adwords account until you know that your system is clean else you will only be hit again.