How did "tech-supportcenter" phishers trick Google?

Question

Related: Is the Web browser status bar always trustable?

How can Google search change the location in a URL tooltip?

I've always thought you can "hover" over a link to see where it really goes, until today.

A coworker (working from home) searched for "Target" in Google Search (using edge). He clicked the top result, which happened to be an ad, and was redirected to a phishing page posing as Microsoft trying to get him to call a "tech support" number.

I got the same results on a different computer, on a different network. When I hover over the link, both links show "www.target.com" at the bottom, but clicking the ad link takes you to a malware page and the second link (first search result after the ad) takes you to the real Target.com page.

If displaying the wrong URL in the tooltip requires Javascript, how did tech-supportcenter get their Javascript onto the Google search results page?

UPDATE Here's the same results in a virtual machine with a fresh install of Windows, on a different network:

Here's the source for the URL. It looks like it does include the "onmousedown" Javascript as the first question I linked to mentioned. Does Google allow advertisers to display any URL they want for the tooltip?

Answer 1

If displaying the wrong URL in the tooltip requires Javascript, how did tech-supportcenter get their Javascript onto the Google search results page?

The scammers did not manage to inject JS into the search results. That would be a cross-site scripting attack with much different security implications than misleading advertisement.

---

Rather, the displayed target URL of a Google ad is not reliable and may conceal the actual destination as well as a chain of cross-domain redirects. The scammers possibly compromised a third-party advertiser and hijacked their redirects to lead you to the scam site.

Masking link targets is a deliberate feature of Google AdWords. It is generally possible to specify a custom display URL for an ad link which can be different from the effective final URL. The idea is to enable redirects through trackers and proxy domains while keeping short and descriptive links. Hovering over an ad will only reveal the display URL in the status bar, not the real destination.

Here is an example:

• I'm searching for "shoes".
• The first ad link displays www.zappos.com/Shoes:

• When I click on it, I actually get redirected multiple times:

  https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChXXXXXXXd-6bXXXXXXXXXXXXkZw&ohost=www.google.com&cid=CAASXXXXXp8Yf-eNaDOrQ&sig=AOD64_3yXXXXXXXXXXXXXYX_t_11UYIw&q=&ved=0aXXXXXXHd-6bUXXXXXXXXXwIJA&adurl=
  -- 302 -->
  http://pixel.everesttech.net/3374/c?ev_sid=3&ev_ln=shoes&ev_lx=kwd-12666661&ev_crx=79908336500&ev_mt=e&ev_n=g&ev_ltx=&ev_pl=&ev_pos=1t1&ev_dvc=c&ev_dvm=&ev_phy=1026481&ev_loc=&ev_cx=333037340&ev_ax=23140824620&url=http://www.zappos.com/shoes?utm_source=google%26utm_medium=sem_g%26utm_campaign=333037340%26utm_term=kwd-12666661%26utm_content=79908336500%26zap_placement=1t1&gclid=CI3vqXXXXXXXXXXXXXBBA
  -- 302 -->
  http://www.zappos.com/shoes?gclid=CI3vXXXXXXXXXXXXXMBBA&utm_source=google&utm_medium=sem_g&utm_campaign=333037340&utm_term=kwd-12666661&utm_content=79908336500&zap_placement=1t1
  

Obviously, Google has strict destination requirements for ad links in place and an ordinary customer won't get their ad approved if they set the link target to a completely different domain. But scammers do occasionally find ways around the vetting process. At least, Google's policy about "destination mismatches" is pretty clear:

The following is not allowed:

• Ads that don't accurately reflect where the user is being directed [...]

• Redirects from the final URL that take the user to a different domain [...]

Trusted third-party advertisers may be permitted to issue cross-domain redirects, though. Some of the exceptions are listed here, e.g.:

An example of an allowed redirect is a company, such as an AdWords Authorized Reseller, using proxy pages. [...]

For example:

• Original website: example.com
• Proxy website: example.proxydomain.com

We allow the company to use "example.proxydomain.com" as the final URL, but retain "example.com" as the display URL.

One major weak spot is that Google doesn't control the third-party redirectors (in above example, that's pixel.everesttech.net). After Google has vetted and approved their ads, they could simply start redirecting to a different domain without immediately getting noticed by Google. It's possible that, in your case, attackers managed to compromise one of these third-party services and pointed their redirects to the scam site.

In recent months, there have been several press reports about an almost identical scam pattern, e.g. this report about a fraudulent Amazon ad whose display URL spells out amazon.com but redirects to a similar tech support scam.

(By now, your discovery has also been picked up by a few news sites, including BleepingComputer.)

Answer 2

This is a common abuse in paid advertising (note the "Ad" icon at the tail of your left arrow).

Advertisers want to track people who click on Google ads, partly to independently confirm Google's click billing, and partly to give away free cookies. So they request search engines to send users to a ClickURL which does that, and then forwards to the proper destination. The ClickURL may be off site, for instance at the ad agency.

The advertiser wants to provide a separate DisplayURL, which is simply the URL shown in the text ad. To hide the ugly ad agency URL, and to show a neatly displayed URL, instead of the actual destination URL (which may be lengthy e.g. a specific product page). This DisplayURL is being abused by the phishers.

The search engine is never provided the destination URL (where the ClickURL should forward to). Since the ClickURL is often on a different domain than the DisplayURL, this is hard to police. Target may retain several SEOs, each using a different Gooogle ID or ad agency, so there's nothing weird about a random Google ID running ads with a target.com DisplayURL all of a sudden.

Fairly likely that the advertiser is a small business and got phished: i.e. the spammer got ahold of their Google user credentials, discovered a Google Ad account with stored credit card data, and is running ads on their dime.

Answer 3

One aspect of this answer provided by Arminius, is that it had to be an agency trusted by Target at some point. Because when you bid on brand names in AdWords it always gets flagged for copyright reasons. Unless your AdWords account has been whitelisted. This can be a CSV list of accounts that a brand name / copyright permits to place ads on Google on their behalf. See the form here

So apart from the technical reasons explained in other answers here, it is almost impossible to have done this without access to that brand name inside your adwords account. And that can only have come from a whitelisted ad-agency that Target, at some point had trusted their AdWords management with. Or an outsourced agency on their behalf that was overlooked.

If there would be any so-called "exploit" for this issue, then it is this sort of social engineering, ie: getting on that whitelist as accredited "AdWords agency" on behalf of a brand.

As background info: A few years ago it was common for us to be offered the "opportunity" to buy AdWords accounts from the newly established ad agencies in China. Chinese agencies had been given access to AdWords and seemingly in a state of euphoria Google was allowing them unlimited account creation. Accounts that were abusing the AdWords TOS, and they ostensibly never got blacklisted. On the other side Big Brands were outsourcing their AdWords account management to these Chinese agencies because their management rates were simply too good. That's definitely one possible scenario of how you could get access to such a well-known brand.