A malvertising scheme has hijacked at least two distinct Google AdWords advertising campaigns, redirecting users who had browsed to the sites hosting the poisoned ads without those visitors even clicking on them. Some of the sites in question service more than a million monthly users.

Last week, website security firm Sucuri noticed a substantial uptick in requests to scan sites for malware. Oddly enough, the malicious redirects did not discriminate among platforms nor browsers, but some visitors were not redirected while others complained that impacted sites became barely usable. The reason for that has to do with the way online advertising firms use mined data to target ads toward supposedly relevant customers. In extreme cases, advertisers deploy real-time ad-bidding, in which groups compete for seconds or minutes ad space on particular sites at specific times.

The problem, Securi says, seems to have begun in mid-December but ramped up last Friday before Google seemed to have resolved it by the end of the weekend.

The infected ads redirected users to convincing-looking but ultimately fraudulent magazine websites with articles containing fake comments and endorsements for health secrets and intelligence boosting tricks. Some of the landing pages masqueraded as real magazines, like Forbes.

The redirects occurred even in the Google AdReview center, a sort of administrative panel where site operators can review the advertisements that AdWords intends to post on their site.

Eventually, the Sucuri researchers managed to isolate the bad ads: Anonymous advertiser adv-2646721236434373 with ads pointing toward adwynn[dot]com and Blackburn ART where ads pointed to rgeoffreyblackburn[dot]com. Each ad firm, the researchers say, seemed legit and must have been hijacked at some point by the people perpetrating the scam.

“I don’t know what prevented Google to suspend those accounts right away,” Sucuri wrote. “Maybe their budgets? According to the reports in [a Google production forum], quite a few large sites with millions of monthly page views suffered from those malicious ads. And I suspect those banners may have been displayed more than a million times since December across all the sites with AdSense ads.”

Categories: Malware, Web Security