From the Washington Post:

Virus writers have been gaming Google’s “sponsored links” — the paid ads shown alongside search engine results.

According to a report at Exploit Prevention Labs, while the top sponsored links that showed up earlier this week when users searched for “BBB,” “BBBonline” or “Cars.com” appeared to direct visitors to those sites, they initially would route people who clicked on the ads through an intermediate site. The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft’s Internet Explorer Web browser, a problem that the company issued a patch to fix last June.

As Exploit Labs’s Roger Thompson notes in his blog, the bad guys behind the attack appeared to capitalize on an odd feature of Google’s sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.

According to Thompson, Google has taken down the offending sponsored links. In fact, searching for “betterbusinessbureau” in Google no longer turns up any sponsored links at the moment.

Nasty stuff.  

This is important to Google and users because it undermines trust in clicking on Adwords links.  (The problem isn’t unique to Google, of course– a similar exploit used banner ads earlier.  )

Your odds of stumbling across a malware site at random or in organic Google search results are low, since the bad guys typically don’t have a good page rank.  But with sponsored links any bad guy can be at the top of the ranking, and a quick redirect can conceal the fact that anything happened.

Advertising networks and search engines need to check linked pages for viruses and phishing, just like software download sites do.

I’ve been thinking that if a search engine wanted to compete with Google, security, privacy, and openness might be a good way to do it.

What if you could use a search engine that offered decent relevance while also guaranteeing:

• Security:  automated probing of sponsored and free links to ensure that the destination page doesn’t attempt to install spyware or viruses.
• Privacy: no logging of search terms or cookie tracking.  No attempt to correlate activity across sites.
• Openness:  an open REST API for accessing the search results under a clearly defined and affordable pricing model.