This is an explicit tool in adwords, believe it or not.
The feature is intended so that you can have a link "to" http://trackersRus.com/ which forwards to http://ebay.com/, without the user seeing that bit of ugly.
It's been used in campaigns for years, I've reported probably hundreds of these distributing malware.
It appears here that the redirection to the ebay.com destination url is not happening and that the user ends up on a different domain.
That kind of situation is usually detected when ads are entered into the Google Ads* platform for review, with ads then rejected for "destination url mismatch". One thing checked is that the final destination url after all redirects matches what is specified in the ad's final url field.
I suspect the scammers here are somehow faking the destination url for Google's bot checker to pass the Google checks and then serving different destination urls to users who they believe are not Google bots.
* Google Ads is now the correct branded name. No longer called AdWords as in the title.
Google's approach here seems totally wrong. The destination URL should be, exactly, the link as shown. If someone wants to track clicks using a third-party tracker, Google should offer an API for that which does not give the third-party tracker any ability to control the destination -- they have plenty of market power to impose this and, heck, they could even charge a small premium.
Most browsers support a lovely feature where the a tag has a ping attribute, which is intended for more or less this use case.
I've had this problem on Facebook.
I've reported some ads for various (relatively benign) scams for herbals and the like, that use a famous newspaper as 'their url', when they have nothing to do with it.
Facebook closed my report as 'not against ad policy'.
Anyway, this is actually easily fixed without losing tracking/campaign flexibility, by requiring ad orders to be signed by a certificate valid for the target domain, if the URL is different from the displayed one.
Wouldn’t a simple solution to this problem be to prove ownership of the domain you want displayed? Why is this not done yet, this is almost standard practice nowadays for many types of services.
I wonder why Google doesn’t follow the redirect, and ensure the followed link matches the displayed link?
I get that there’s workarounds like changing the redirect after Google checks it, but there’s solutions to this too (like running checks every so often to ensure the link redirects to the same domain).
When I worked at Apple I filed a Radar (bug-report) asking for the mail client to check that, if the text of an <a> tag was a url, that the text matched the href field. What followed, on the Radar, was a lengthy debate about this. If I recall correctly, the people who opposed basically argued that, if this feature was implemented by the mail client, spammers would simply find another way to inject false links. We (those who wanted the feature) lost. But I still think that, any web app that shows "http://whatever" in a link field should ensure that the href field is "http://whatever".
Sounds reasonable only if the text is a URI handler format; http:// file:// ftp:// steam:// etc.
But then what about almost-uri text. www.yourbank.com without the https://. Or lookalikes "https:\\" or... what about proxies? does https://l33th4x.com?proxy=www.bank.com count if the text is www.bank.com?
Filtering crap like this sounds reasonable but very quickly becomes an exercise in what I call "Giving a mouse a cookie." Now you have a huge complex chunk of code to parse and filter URLs/URIs and every look-alike you can think of; Did you remember that automatic deserialization that kicked in when your values were sent to a callback?
2 days of work later, your new build has fancy-pants a tag filtering that contains and unknown number of bugs and phishers just register and use new domains that look kinda legit and follow your new text/link rules. www.security-wellsfargo-audit.com/login looks legit to the mark, your mail client allowed it so it must be OK.
Filtering crap like this sounds reasonable but very quickly becomes an exercise in what I call "Giving a mouse a cookie." Now you have a huge complex chunk of code to parse and filter URLs/URIs and every look-alike you can think of; Did you remember that automatic deserialization that kicked in when your values were sent to a callback?
This sounds an awful lot like how software development in general works...
Isn't all software just some version of "Giving a mouse a cookie."?
I'm partial to a simpler and complete solution: just always force display of href text on hyperlinks, ignoring the markup that's between <a> and </a>. Nothing good comes from displaying the text/image instead of the actual URL; at best it's used (usually overused) for extra aesthetic touch that's not otherwise useful, at worst it's used by advertisers and scammers to lie to people about the link's destination (tracking links and phishing).
I also think mail clients should do that, or at least offer it as an option. Most mail readers have an option to disable loading remote content, and this would be another little way to make HTML email less dangerous.
I think (or at least hope) that most people are in the habit of hovering over links in email before clicking them. And I really hope that mail readers never start implementing Javascript. As for web apps, that's the Wild West, and a small fix like this isn't going to tame it.
Maybe, quite simple have the option to parse <a> tags down to the format "Text - URL". If I remember correctly, some sites from way back had this sort of format occasionally.
At least Thunderbird seems to do that: when an email has an <a> tag with text that looks like a URL but doesn't match the href, it throws the "this email is probably a scam" bar above the message.
The real answer here is that tech companies are trying to solve this problem with tech - in an effort to cheap out on actually hiring some humans to look at the thing and verify that it's safe.
My eyeballs are not free. I hate advertising and advertisers. I have no pity for the advertising platform that cheaps out on security just because it's expensive.
> the mail client to check that, if the text of an <a> tag was a url, that the text matched the href field.
The use case that this breaks is doing click tracking on links using redirects from a unique url to the actual url (which would be the url displayed in the link text).
To avoid breaking this use case, the best remedy would be to prompt the user with a security warning upon clicking a mismatched link prompting them the verify the url in the url bar. The issue, is that doing this selectively teaches the wrong security practice to users: that they can improve their safety by looking at the link text rather than at the url bar after clicking the link.
It's even been done to youtube.com before! Clicking ads is inherently dangerous, as they are allowed to show URLs which do not reflect the URLs they will actually route you to. You should never click on an ad.
This is a scenario that violates any reasonable convention of good web behavior, but Google won't fix it because the advertisers are how their bills get paid.
No. If you hover over a link in your web browser, regardless of what it says on the link, the hover text (often appearing at the bottom left of your web browser) should show you the real, full destination URL. Try hovering over any link in HN, and you'll see the URL you're going to actually go to when you click on it.
However, when you hover over a Google Ads link, it does not do this. It shows you a friendly URL for the destination (such as https://www.ebay.com) but when you click on it, you get redirected with a bunch of tracking stuff added or even through a URL not on the ebay.com domain, as shown in this "exploit". In fact, even if an advertiser were to use a "clean" link as the destination, you first get redirected on that click through a google.com URL, even though the hover text is still lying about the destination.
I'm not even sure what it's doing here, there's some neat JavaScript in play. The hover text shows the "clean" URL, but if I inspect it, and then hover over it again, it shows the real redirect URL through google.com.
Are there trademark infringement issues here, particular on Google's part? They are getting paid (probably a lot) to display this ad, and are explicitly allowing buyers to lie about their identity.
If I were eBay, I'd be getting my lawyers on this immediately. Every dollar getting paid to Google for this ad is a dollar out of my revenue, and a lost customer, and is illegal.
And eBay will be made responsible for damages. "I click on that ebay ad and then my computer was locked down and a hacker said I need to pay him to get my files back".
I feel like all the technical arguments here are besides the point. The ad is designed to take you to a page, which tells you a lie, to convince you to give them your money.
We already have a legal term for people that make money by misrepresenting something, it's called fraud.
Sure, you can tell me it will still be a cat or mouse game and that laws aren't gonna reach into whatever sort of clickfarm network exists far outside of US jurisdictions, but make it so people are held accountable for this kinda stuff.
I'm no fan of the carcereal state, I'm not suggesting that we throw people in jail or drone bomb their server farm, perhaps large fines and getting banned making ads across any platform would work. I dunno, just seems there are not many incentives against this sort of behavior in an ad-dominated internet.
In this case, the technical side is also at fault for allowing this (on every other website (well, aside from Google search results), the status bar shows on hover where you will be taken if you click), but I do agree that we very often talk about the technical aspect and not the legal one.
I don't know any country where anyone goes to the police when they had a malware infection. It's a little like countries where there is no point going to the police for theft: nobody was killed so the police has better things to do. Here too, if you're not a huge corporation with millions in damage, they won't even look at it, even if you supply logs that point to an IP within their jurisdiction. (Example of a few years ago in the Netherlands: employer was hacked, hundreds of customer websites taken offline, IP address came from a home connection in the same city as we were in, police took the report straight to /dev/null...)
The only way to get anything done legally is by starting lawsuits yourself, which doesn't work for criminal cases, but oh-so-conveniently works for online copyright infringement.
> We already have a legal term for people that make money by misrepresenting something, it's called fraud.
A nitpick, but if that was the definition of fraud, most of existing advertising would land people in jail. Unfortunately, laws around advertising are way too lax.
It's definitely not a technical problem, but the technical issues discussed are a symptom of it. They're enabling scummy behaviour in order to profit from it.
Well, I can certainly tell you my snakeoil will improve your skin (I'm not making any medical claims and this isn't FDA approved), but I can't advertise that a new study has found that all people named TeMPoral will die within 10 days unless they buy my vitamin with a 100% cure rate.
I agree with you both about advertising being generally an awful thing that is almost always solely designed to manipulate someone rather than give them information, and that the laws are too lax, but this sort of YOU HAVE A VIRUS advertising would be illegal.
(Then again it's barely any worse than the postal junk mail I get designed to look like a sort of official bank repossession notice trying to get me to buy some scammy insurance...)
Google are in complete control of the links on their web pages, so why shouldn't they be held accountable for it? Is there a reasonable argument against this that doesn't again boil down to technicalities? If they're paid money by fraudsters to facilitate the fraud and actively misrepresent the addresses of their links, they're in on it, as far as I'm concerned.
Every once in a while I'll do a search on Google from a browser with no blocker for something like 'ebay' or some other big brand name and I'm always surprised to see that big brand name has bought ads for themselves, it never made sense since they're always the first search result anyways.
Now I can only assume two things...
1. Some number of those ads were scams
2. Some large number of people just blindly click on the first thing they see below the search box as long as it's close to whatever they search for.
Somewhat related... always surprised to see what search results come up in the IOS app store first for whatever app I'm searching for at the time. It's usually something else, like, search for Uber, first thing that comes up is Lyft.
If a large brand like Uber wouldn‘t buy (really expensive) keywords like „uber“ some of their rivals like lyft could bid on it. So uber would lose a customer who was really interested in uber to lyft. Exchange company names how you like. Its especially expensive for shops etc.
Google will not change any rules to forbid bidding on brand names because they are making a ton of money of it. Think of something like amazon paying more than $1 for every click just to not loose any potential customer. Adwords is a money burning system.
Interesting note -- Amazon does not allow you to bid for a competitor's brand name, nor does it allow you to use your competitor's brand name as a keyword.
In my experience, you can try, but you'll get 0 impressions. Not sure how this works for very generic brand names though (e.g. "band-aid")
Bidding on your own company name is very cheap because your site has a very high quality score for that keyword (ie. Google's algorithms think the users query will be answered by going to that domain).
A high quality score gives you an effective discount in the ad auction. You might only need to pay $0.01 for that ad, whereas your competitor would need to pay $1
>> Google's algorithms think the users query will be answered by going to that domain
That's BS semantics. Their algorithms are based more on the age of your domain and other technicalities, rather than some hypothetical meaning of "search intention".
Today you're much more likely to get directed to some SEO-optimised highly monetised blog content because they bought an incredibly old domain name rather than what you're actually looking for.
It may be that the bidder is an affiliate that gets a commission on your purchase, not the brand owner. They're just trying to get last click on the thing you were about to buy anyway.
I worked in AdWords 12 years ago and this was dominant. Not sure how it is today.
> Somewhat related... always surprised to see what search results come up in the IOS app store first for whatever app I'm searching for at the time. It's usually something else, like, search for Uber, first thing that comes up is Lyft.
When this happens it's usually an ad, isn't it? Unfortunately, ad blockers don't work in the app store.
It used to be that on some web browsers, the background color for adwords and organic search was hard or impossible to distinguish. eBay is paying for placement and it also wants to mitigate potential issues where the organic result is not their site, they have top of page presence (if adblocker is turned off).
By controlling more screen real estate you will get even more clicks to your website. Given the incremental cost for a nav query is so low for the first algo it is a good decision.
My project has been having fake ads bought on Google to serve malware for a year now and Google doesn't seem to care. At best they might take down one ad, but there are always more.
If you're in the US[1] you can trademark your project name, and then Google will pay attention. Of course getting a trademark isn't that easy either so the solution may be worse than the problem.
[1] Back when I worked in the business this was only possible in the US, for legal reasons I didn't fully understand.
Readit News
The feature is intended so that you can have a link "to" http://trackersRus.com/ which forwards to http://ebay.com/, without the user seeing that bit of ugly.
It's been used in campaigns for years, I've reported probably hundreds of these distributing malware.
That kind of situation is usually detected when ads are entered into the Google Ads* platform for review, with ads then rejected for "destination url mismatch". One thing checked is that the final destination url after all redirects matches what is specified in the ad's final url field.
I suspect the scammers here are somehow faking the destination url for Google's bot checker to pass the Google checks and then serving different destination urls to users who they believe are not Google bots.
* Google Ads is now the correct branded name. No longer called AdWords as in the title.
Most browsers support a lovely feature where the a tag has a ping attribute, which is intended for more or less this use case.
I'm sure it's easy to find their bot IP's too. Just make a bunch of terrible ads that nobody will click and see who visits the url.
Google needs to abolish this link policy, I don't see how it's enforceable
Facebook closed my report as 'not against ad policy'.
Anyway, this is actually easily fixed without losing tracking/campaign flexibility, by requiring ad orders to be signed by a certificate valid for the target domain, if the URL is different from the displayed one.
Heh, makes you wonder, what's the ad policy? Sounds like: 'They pay us money, so must be legit?'
Google's solution ensures that the marketing people get what they want without the technical people standing in the way.
I get that there’s workarounds like changing the redirect after Google checks it, but there’s solutions to this too (like running checks every so often to ensure the link redirects to the same domain).
For this purpose there's a lot of room for false positives. It doesn't matter if some actual users actually get redirected to ebay.
Dead Comment
But then what about almost-uri text. www.yourbank.com without the https://. Or lookalikes "https:\\" or... what about proxies? does https://l33th4x.com?proxy=www.bank.com count if the text is www.bank.com?
Filtering crap like this sounds reasonable but very quickly becomes an exercise in what I call "Giving a mouse a cookie." Now you have a huge complex chunk of code to parse and filter URLs/URIs and every look-alike you can think of; Did you remember that automatic deserialization that kicked in when your values were sent to a callback?
2 days of work later, your new build has fancy-pants a tag filtering that contains and unknown number of bugs and phishers just register and use new domains that look kinda legit and follow your new text/link rules. www.security-wellsfargo-audit.com/login looks legit to the mark, your mail client allowed it so it must be OK.
This sounds an awful lot like how software development in general works...
Isn't all software just some version of "Giving a mouse a cookie."?
And where do you draw the line? Should it flag a link with text "htp://ebay.com" that goes somewhere else? "ebay" with a href somewhere else?
There's no technical workaround to educating users.
I think (or at least hope) that most people are in the habit of hovering over links in email before clicking them. And I really hope that mail readers never start implementing Javascript. As for web apps, that's the Wild West, and a small fix like this isn't going to tame it.
My eyeballs are not free. I hate advertising and advertisers. I have no pity for the advertising platform that cheaps out on security just because it's expensive.
The use case that this breaks is doing click tracking on links using redirects from a unique url to the actual url (which would be the url displayed in the link text).
To avoid breaking this use case, the best remedy would be to prompt the user with a security warning upon clicking a mismatched link prompting them the verify the url in the url bar. The issue, is that doing this selectively teaches the wrong security practice to users: that they can improve their safety by looking at the link text rather than at the url bar after clicking the link.
I, personally, would be quite happy for this use case to break.
I mean can you honestly tell you read the Google privacy notice or do you just click the down arrow till the ok box appears?
Phishing attempts will mimic real emails, so they will do the same.
Dead Comment
It's even been done to youtube.com before! Clicking ads is inherently dangerous, as they are allowed to show URLs which do not reflect the URLs they will actually route you to. You should never click on an ad.
This is a scenario that violates any reasonable convention of good web behavior, but Google won't fix it because the advertisers are how their bills get paid.
However, when you hover over a Google Ads link, it does not do this. It shows you a friendly URL for the destination (such as https://www.ebay.com) but when you click on it, you get redirected with a bunch of tracking stuff added or even through a URL not on the ebay.com domain, as shown in this "exploit". In fact, even if an advertiser were to use a "clean" link as the destination, you first get redirected on that click through a google.com URL, even though the hover text is still lying about the destination.
I'm not even sure what it's doing here, there's some neat JavaScript in play. The hover text shows the "clean" URL, but if I inspect it, and then hover over it again, it shows the real redirect URL through google.com.
Deleted Comment
If I were eBay, I'd be getting my lawyers on this immediately. Every dollar getting paid to Google for this ad is a dollar out of my revenue, and a lost customer, and is illegal.
https://en.m.wikipedia.org/wiki/Rosetta_Stone_Ltd._v._Google....
Pretending to be a competitor clearly violates trademark law. But I somewhat suspect these fraudsters aren't that concerned with trademark law.
We already have a legal term for people that make money by misrepresenting something, it's called fraud.
Sure, you can tell me it will still be a cat or mouse game and that laws aren't gonna reach into whatever sort of clickfarm network exists far outside of US jurisdictions, but make it so people are held accountable for this kinda stuff.
I'm no fan of the carcereal state, I'm not suggesting that we throw people in jail or drone bomb their server farm, perhaps large fines and getting banned making ads across any platform would work. I dunno, just seems there are not many incentives against this sort of behavior in an ad-dominated internet.
I don't know any country where anyone goes to the police when they had a malware infection. It's a little like countries where there is no point going to the police for theft: nobody was killed so the police has better things to do. Here too, if you're not a huge corporation with millions in damage, they won't even look at it, even if you supply logs that point to an IP within their jurisdiction. (Example of a few years ago in the Netherlands: employer was hacked, hundreds of customer websites taken offline, IP address came from a home connection in the same city as we were in, police took the report straight to /dev/null...)
The only way to get anything done legally is by starting lawsuits yourself, which doesn't work for criminal cases, but oh-so-conveniently works for online copyright infringement.
A nitpick, but if that was the definition of fraud, most of existing advertising would land people in jail. Unfortunately, laws around advertising are way too lax.
It's definitely not a technical problem, but the technical issues discussed are a symptom of it. They're enabling scummy behaviour in order to profit from it.
I agree with you both about advertising being generally an awful thing that is almost always solely designed to manipulate someone rather than give them information, and that the laws are too lax, but this sort of YOU HAVE A VIRUS advertising would be illegal.
(Then again it's barely any worse than the postal junk mail I get designed to look like a sort of official bank repossession notice trying to get me to buy some scammy insurance...)
1. https://twitter.com/sephr/status/1056626456770428929
2. https://twitter.com/sephr/status/1055751684146655232
Now I can only assume two things...
1. Some number of those ads were scams 2. Some large number of people just blindly click on the first thing they see below the search box as long as it's close to whatever they search for.
Somewhat related... always surprised to see what search results come up in the IOS app store first for whatever app I'm searching for at the time. It's usually something else, like, search for Uber, first thing that comes up is Lyft.
Google will not change any rules to forbid bidding on brand names because they are making a ton of money of it. Think of something like amazon paying more than $1 for every click just to not loose any potential customer. Adwords is a money burning system.
In my experience, you can try, but you'll get 0 impressions. Not sure how this works for very generic brand names though (e.g. "band-aid")
A high quality score gives you an effective discount in the ad auction. You might only need to pay $0.01 for that ad, whereas your competitor would need to pay $1
That's BS semantics. Their algorithms are based more on the age of your domain and other technicalities, rather than some hypothetical meaning of "search intention".
Today you're much more likely to get directed to some SEO-optimised highly monetised blog content because they bought an incredibly old domain name rather than what you're actually looking for.
I worked in AdWords 12 years ago and this was dominant. Not sure how it is today.
When this happens it's usually an ad, isn't it? Unfortunately, ad blockers don't work in the app store.
[1] Back when I worked in the business this was only possible in the US, for legal reasons I didn't fully understand.