On Google Hacks and Product Pitches

A press release arrived this morning with a subject line that caught my eye: “Google Adwords Falls Victim to Cyber Criminals.” While I’m always interested in who’s compromising what, I tend to be skeptical about such emails. Most are sensational attempts at a back door product pitch.

Indeed, this was no exception. The release said researchers at Exploit Prevention Labs had uncovered a scheme whereby hackers registered a domain, smarttracker.org, and opened a Google Adwords account. But the account was devious. On certain searches, results were engineered so that a trusted hyperlink like the Better Business Bureau would be displayed in the Adwords space. But when a user clicked on that link, they were first redirected to smarttracker.org, which attempted to insert a keylogger on the user’s machine. Read about it on the company’s blog, here.

Such a scheme, not new, not terribly sophisticated, is almost purely a social attack. Indeed the only malicious elements of the attack are the technical elements: the keylogger and the deceptive redirect. Trivial stuff for malicious hackers. As of this writing, there was no news on Google’s site about the scheme. The researcher says that Google has terminated the account. Of course, that doesn’t fix the problem.

Indeed, defending against such a scheme relies on two components: One, savvy users, and you’ll never have 100 percent awareness against social engineering, especially subtler versions of it like this. And two, it relies on verifying that all hyperlinks in Google Adwords either go to where they say they go or redirect responsibly.

And what do you know, isn’t that just what the vendor that discovered the scheme, Exploit Prevention Labs, sells. Their product verifies links are legitimate and offers “complete, real-time” protection against social engineering attacks. The press release offers a trial download.

I have mixed feelings about this. First, discovering and disclosing schemes like this is good. It forces vendors to improve their security.

But on the other hand, with product to push, the researchers are not independent and everything they do must be met with a skeptical eye. Think of it this way: How would you treat news that Coca-Cola’s research department had discovered health benefits to drinking soda? It’s a fine line between simply researching vulnerabilities and engineering them. Creating “proof-of-concept” vulnerabilities that aren’t in the wild is a great way to drum up business. “It may not be out there yet, but we’ve proven it could be” is the message.

A vendor’s job is to make money. It has a vested interest in sensationalizing problems to get people to buy a particular cure. The effect of this is to skew research toward the problems the vendors happen to address. It takes vulnerability out of its broader context. For example, Cross-Site Scripting (XSS) could be considered a far more prevalent and more serious vulnerability on the Web than this Adwords scheme. (For more on XSS, check out The Chilling Effect). But few vendor research departments are publicizing the fact that XSS vulnerabilities can be found in millions of Web sites y because it’s such a difficult problem to address with products. The problem is similar to one found in the pharmaceutical industry. Drug companies’ research doesn’t necessarily follow what diseases are in most dire need of treatment or cure. It follows what those companies suspect will be profitable research. Thus, while a cure for malaria seems possible, companies are busy creating drugs for “restless leg syndrome.”

Do most security researchers at commercial companies act judiciously when discovering and disclosing vulnerabilities? Probably. It’s probably smart to maintain a healthy skepticism, though. And, for now, be careful with Google Adwords.

–Scott Berinato