Virus writers have been gaming Google's "sponsored links" -- the paid ads shown alongside search engine results. They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau.
Sponsored links allow customers to buy advertisements attached to a particular search term. When a Google user enters a term into the firm's search engine, the ad belonging to the advertiser that bid the highest price for that search term appears at the top of the list of search results.
According to a report at Exploit Prevention Labs, while the top sponsored links that showed up earlier this week when users searched for "BBB," "BBBonline" or "Cars.com" appeared to direct visitors to those sites, they initially would route people who clicked on the ads through an intermediate site. The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft's Internet Explorer Web browser, a problem that the company issued a patch to fix last June.
As Exploit Labs's Roger Thompson notes in his blog, the bad guys behind the attack appeared to capitalize on an odd feature of Google's sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.
According to Thompson, Google has taken down the offending sponsored links. In fact, searching for "betterbusinessbureau" in Google no longer turns up any sponsored links at the moment.
This certainly is not the first time virus writers have used ads to spawn their wares. Last summer, Security Fix discovered that more than a million Windows users had been infected with spyware thanks to a malicious banner advertisement shown for several days on high-traffic sites like MySpace.com and Webshots.com.