Hacker News new | past | comments | ask | show | jobs | submit login
Google will warn users when sites contain social engineering ads (techcrunch.com)
151 points by PirateDave on April 12, 2016 | hide | past | favorite | 90 comments



From the article: "Others pretend to be “Download” or “Play” buttons, as if clicking them would provide access to the video content or stream the user had wanted. "

These are actively being served through Google Adsense, right now.

Here's a few example, live sites, where I see "Download" buttons in an ad, in a context that would be confusing.

http://www.getpaint.net/index.html

http://downloads.tomsguide.com/PaintNET,0301-4883.html

http://filehippo.com/download_paint.net/


I see fake download buttons, full screen ads, ads opening new windows/tabs, and ads opening Google play automatically from Adsense on a regular basis. I gave up reporting them years ago.

I only see them when using chrome on Android these days. I generally use Firefox with an ad blocker on both windows and Android to combat it. I disable on some sites to support them, donate where I can, subscribe to YouTube red/Google music, etc to be sure I support content.


> ads opening Google play automatically from Adsense

Are you sure they are ads, and not the site redirecting you based on your useragent? I've had some sites that have apps do that, but I've never had an add automatically direct me to the Play store before.


It debuted when Google added the ability to do direct link ads to Google Play. And it's been on larger sites that use Google AdSense to fill excess inventory.


Yes. I ran into this problem with one of my websites. Turns out, a lot of websites in NL were having the same problem. I guess it's coming through one of the thousands of other advertising networks that are using the Adsense auction.

It's still happening now and then, so Google is fixing the problem in the wrong place.


It's really weird that Google isn't dealing with them. Maybe they're geotargeting everywhere-but-Mountain-View or something? Malware ads on AdSense are neither uncommon nor subtle, but Google's acting like they're not there.


It's really weird that Google isn't dealing with them

It's never "weird" for a company to choose not to attack its own revenue base.


Except Google knows that low-quality ads are driving people to ad-blockers


Exactly. Adsense had this problem in the Netherlands and it turned a lot of my visitors to ad blockers, even though advertising on my website was meant to be subtle.


> These are actively being served through Google Adsense, right now.

There should be a button to report them. Please report them.


There's no reporting option for 'abusive/fraudulent'. And reporting ads doesn't result in a reduction in the number of fake download adverts that I see. Blocking all ads does. I choose the latter.


Sure. But it's just funny that Google's approach is to mark these sites with big red warnings when Google itself is the source of the actual problem.


The ads are the actual problem. It's entirely possible this is a stopgap solution while they flag the client for manual auditing (or whatever)—manual auditing doesn't scale, so I suspect this is going to be more successful at preventing abuse in the short term.


The problem is that Google has built most of it's products and business around the concept that they can automate away manual intervention. I think they are quickly starting to discover how faulty that concept is.

Some of the "AI" startups that mix automated intelligence with human fallback have probably got it much more right: Sometimes, you need people.


Regardless, I think the warning is better than no warning. Again, we don't know the process behind the scenes.


If Google believes any of their ads on the page are questionable, Google should simply not display those ads.


Yep. But spam detection and flagging is a hard problem. Google tries to detect and flag malicious creatives and stop them from serving, but it's not perfect. (I've touched that subsystem in a past life).


If their system finds a site displaying a misleading ad, and it's a google ad...

Why is the action to flag and penalize the site? Why would the action not be "google stops showing that ad"?


When it's detected on the ad serving side, the action is "google doesn't show that ad". This is not something that a user will generally notice.


Consider the likely interaction: (a) Spammer tries to figure out a twist on the ad that makes it through the inappropriate ad filters. They keep at this until they get an image or wording that works. (b) Slightly different system goes and tries to find malicious sites. It detects a site where the spammer managed (a) successfully, because it uses some different methods of identifying the bad stuff.

I don't find this kind of result surprising at all, particularly given how big Google is. If the site safety team is different from the don't-show-evil-ads team, it's almost an inevitable result, at least, in some point in the evolution of the system(s) and processes involved. It does point out some improvements that are needed.


I still don't get it. It's like the city randomly testing drinking fountains for lead, then issuing penalties to businesses, when the city municipal supply is the issue. Sure, shut down the water, but don't penalize victims.

That same scraper that's flagging the site can see the adsense block, see that image url for the offending image is "googlesyndication.com/some/image", etc. As far as I can tell, enough info to map directly back to the entity paying for the ad to show.


Is there? I see two buttons, one that opens a page describing Google Ads, and one that lets me hide it. After hiding an ad, it asks me what was wrong, and gives me the option of Repetitive, Irrelevant, or Inappropriate. None of those seem to fit with reporting abuse.


Sure! Would you mind fixing my revenue generator for free while you're at it?


How do you report them? I see an ad with a fake download button right now. http://i.imgur.com/qJs2CO7.png

Edit: I found the feedback form: https://support.google.com/adwords/troubleshooter/4578507


Yeah google either is not doing a good job here, or they should state whether they have a relaxed stance on that.


Where do you see the button the www.getpaint.net? This is all I see and it looks legit [1]

[1] http://imgur.com/S8iV9cX


I think you are blocking ads. I am too and that's what I see. From a device not blocking ads this is what I see:

http://imgur.com/yZDK7og


It's also tricky because ad bids come and go, Google does personalization, etc. But, I see what you see pretty reliably if I use an incognito window (no personalization).


Yep definitely blocking ads. That is insanity without. 8|


A new trick is to use so many trackers that it won't fit on the screen when listing them all:

http://i.imgur.com/AauOwVB.png

(This is from a site which detects adblockers, and begs you to turn it off, because it's killing their business model)


I swear imgur redirected me to an album page earlier.

But now https://i.imgur.com/AauOwVB.png it works. Strange.

Ads like the paint.net ad runs afoul of

> Mimicking site content, news articles, or text ads

> Google doesn't allow ads that mimic publisher content or layout, or news articles and features. Ads may also not contain screenshots of Google AdWords text ads or otherwise simulate an AdWords text ad in any way.

https://support.google.com/adwordspolicy/answer/176108?hl=en


It showed me an album page on Android too. And a Google ad for a free to play Flappy Bird clone (called Flappy Bird).

Clicking on the ad I was greeted with a landing page, with tiny gray jpeg letters telling me that this free game service costs only 5 Euro a week (automatic renewal). The company behind it, Mobster Ltd. leads me to a dead end on Cyprus and a whole lot of internet complaints.

So please do not click that link or Google may be forced to block imgur. Sorry.


From Wikipedia[0]:

> Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

Honest question: When you take a look at the "manipulation of people into divulging confidential information" part, wouldn't this, by definition, incriminate the vast majority of the modern ("Internet 2.0") web, WRT unremovable-cookies, tracking, "analytics", and so forth?

I fully admit there is a difference between downloading a random AdobeFlashPlayerUpdate.exe or MacKeeperApp.dmg from a malicious site and having all your personal data and information about you sent off to a 3rd party company......but where do we(or Google, here) draw the line?

Just last week, Facebook started gleaning contacts from my phone and injecting them into the "People you may know" page - these were people I did NOT want on my Facebook - ranging from business contacts to tinder matches. I knew this was (sadly) standard behavior for users of the Facebook App, or users of "Facebook for Mobile", but I have never given my phone number to facebook, not once, and I only access it via a mobile browser.

Is it social engineering to see my recent searches in the Amazon app on mobile reposted on Facebook on my desktop Web browser?

[0]: https://en.wikipedia.org/wiki/Social_engineering_(security)


IIRC, you have to auth to Tinder with a FB account. Not saying that nothing shady is happening, because I believe it is, but note that there are hundreds of ways for a company like FB to connect the dots. Post locations, event invitations, friends of friends, searches, ads/trackers, even your behavior/patterns on the site. The only real options, IMO, are to delete FB or accept the uphill battle.


IIRC, you have to auth to Tinder with a FB account.

Wow. Just wow. That seems like such a horrifically bad idea. The worlds represented by FB and Tinder are almost diametrically opposed and I imagine that people who use both would never want any mixing. We are one FB bug away from some serious embarrassment.


Fun fact:

Tinder (as of my last login last year) displays an user liked pages along with their interests and then only their first name so that there is some "privacy".

I used to put all that data through Facebook Graph search and it would get me their full name and contact information, which in turn would lead me to their email address, which would lead me to their addresses or phone number.

Fun, fun time. It's a good thing that I am not the kind of person who would abuse of such things.


Mind-boggling indeed. I guess you could do worse by using your FB auth on Ashley Madison, but not by much.

> We are one FB bug away from some serious embarrassment.

FB has been squirreling away phone and credit card numbers for awhile, along with DoBs, family members, birth cities, and pet names (i.e. "answers to common security challenge questions"). I wouldn't be surprised if a lot of this information has already been stolen, and is being used for things worth more than a bit of embarrassment.


I believe part of what I'm seeing is a facebook bug. Namely, they are supposed to see me show up on Facebook, having given FB permission to peruse their contacts, but I'm not supposed to see them, if that makes any sense (permissions granted, and what not).


This is correct, however, the exchange of phone number has to be parsed through the text exchanges on the app (regex dashes and 10-11 digits....simple yet creepy), validated with an actual person (no fake numbers!), and Facebook needs permission from tinder to process such information.

As developers this isn't hard to implement, but it is a bit extreme.

There is also the question of business contacts, whom I have only had connection with via Voice Call and Text message (no external app and permissions given), showing up in my feed. Of course, this could be permission given on THEIR side that is reciprocating on my end, but again, this implementation is also extreme (ly possible).


It's worth remembering that this is the pain point Adsense and Adwords originally solved for by only allowing a title, 2 lines of text, and a URL. And they did it so well they disrupted/killed a mutli-billion dollar industry of online flash ads practically overnight.

And then they become that problem by taking on flash ads a few years ago.


It's not a flash ad problem. I have seen auto-expanding ads on Android phones without flash. I'm guessing HTML5 banners with javascript in them, but it's hard to find out if it happens only once every couple of days and only on mobile, where you can't look at the source of all scripts once it happens.


I think their USP was contextuality, no?


The contextuality came later once they had built out the backend systems and proven the core idea worked.


I would say no, but then, everything advertisers say works seems to have the exact opposite effect on me, so what do I know...

I mean, the last thing I want out of ads is targeting. Nobody needs to tell me to buy things I already like.


What about on their own sites? Like YouTube?

Yesterday I just saw a banner ad on a YouTube music video - from Google AdWords - that was alerting me I may need some "Drivers" for my machine and I should get them from some suspicious company called TechSoft or RealSoft or something like that. It was the "dying car alarm drops a sick beat" extended remix if that's of any interest.

I did take a screenshot but don't have it handy right now.


I regularly see ads during Youtube videos for what I would assume to be malware -- "driver updates" and the ilk. It would be nice if Google would get their own house in order.


Why should Google get it's house in order? The best part about being a monopoly is everyone has to deal with you whether they like it or not. ;)

And they can punish other people's websites for having malicious ads, including Google-sourced malicious ads, because that totally solves the problem!

This comment was thick with sarcasm.


Because people start using Adblock and sucking the life out of their business. I just deployed adblock across the entire organization I work for as a basic security measure.


The only time I have been bothered with these kind of ads, is when DoubleClick serves me those on my Android.

DoubleClick certainly is not the worst offender of this, but they are the biggest player. Is Google going to block/penalize the sites of their own customers? That would feel weird. Is Google going to block/penalize the sites of their competitors? That would also feel weird.


That's borderline comical. Sell customers Adsense and/or DoubleClick, then scrape the customer's site and flag it when your ad platform serves up questionable content.


Usually the burden to approve an Ad is on the network that hosts/serve the Ad. Google does require approval for all Ads you want to serve to Google Search or Google Display Network, as well as Ads you want to sell through Doubleclick Ad Exchange.

Doubleclick is actually a suite of different applications.

I suppose you mean DFP (Doubleclick for Publishers). This is a google product but it doesn't necessarily display ads from Google Network. With DFP you can show ads from Google but also other networks or even your own negotiated ads. So in other words even though it's a Google Product it's designed to give publishers freedom on which ads will be displayed. If you use DFP to only show ads from Google Network such as adSense you can rest assured these are reviewed by Google for such social engineering tactics.

I suppose they might block sites that use DFP to serve ads from other networks they can't vet and don't go through good review and were detected to contain bad Ads.


Google partners with these other networks (like Advertising.com and AppNexus). In the end it is their DFP .js code that invokes malicious ads/redirects. I blame the last in the chain, and I do not think that is unfair.

Not all ads on adSense are reviewed. Or, if they are, the reviewers are doing a poor job. Locally, and on mobile devices, I get adSense ads like: "Your device has a virus. Click here to download our anti-virus software for 4.99$." Then the page shows the "404 broken robot"-graphic (it is an ad on adSense network, which spoofs Google, and scares you into downloading a paid, probably worthless, virus-scanner).

I've reported numerous ads to Google over the years: Some competitors who were not playing by the rules, but also redirects to porn websites and the (locally) infamous: Your Whatsapp has expired! Enter your phone number, so we can mine that, and charge you weekly for a fake app.

> I suppose they might block sites that use DFP to serve ads from other networks they can't vet and don't go through good review and were detected to contain bad Ads.

Likely, but this seems weird (fix/penalize DFP partner networks first, don't penalize your users for using your own product). Also from a competitor sense: I am all for protection of users (use an adblocker!), but it does not feel right that a company with the resources of Google, finally manages to rid their own network of these malicious ads (let's say for sake of argument they have), then immediately puts the ban-hammer on their less resourceful competitor networks. Perhaps that is a side-effect of owning both analytics, the ad networks, and the browser people use to view those ads.


I may have been too harsh on Google. If Google implements: "Hey, this javascript ad code is trying to redirect to another domain, let's throw up a warning." then that would be great (no matter if it hits their own ads).

Google may also share information from SafeBrowsing with other companies, so they can opt to fix their stuff.

Also that what I may view as terrible ads, Google sees as companies gradually finding the razorsharp edge of their program policies.

For obvious reasons, we do not hear (or see) anything about the successful efforts to keep scam and spam away from their networks.


Typically at Google the teams in charge of a service like this and ads are pretty heavily fire-walled. After working there it would not at all surprise me if they did exactly that.


And Google's own Adwords ads looking more an more like organic search results and pushing the organic results further down the page isn't social engineering at all, right?


What's interesting is that this is moving more and more in the direction of the tried and trusted legacy yellow pages phonebook model.

In that model you got a free listing in a category or two but had to pay to get either additional listings (in other categories) or for an advertisement (of various sizes) in order to get phone calls. The rationale (in addition to making money obviously) was that there had to be a way to determine the serious people trying to hawk a particular or good or service from the casual players. The thinking was that if a person took out a listing or an ad saying they "sold recumbent bicycles" they must be doing that because they were willing to pay to say so. So the theory is if you pay for say something you must be fairly serious about what you are saying (in terms of things you are selling).


Google got the entire search business (including from those yellow pages) exactly because it wasn't a yellow pages company.

It showed people what they wanted to see, while other companies were focusing on what they were paid to show.


That's probably because people aren't by default searching the internet for services, but for information and news.


Ah, but without the loophole of naming your company "AAAAAAAAA Services" to land at the top of "organics" :)


My gaming of the system was putting a display ad with multiple phone numbers representing different areas of the city. Worked very well. Learned that by observing what other businesses did (in entirely different areas I might add) and figuring that must be the reason (since I knew they didn't have all of those locations). Yellow pages, at least for what I did (was a "well developed category") was instant business and paid off very well. I increased the ad size every year. In some cases ran a small and large ad after being told (correctly) that some people liked to deal with a small company and some a large company. I landed a big contract once with the larger ad when only 3 companies were asked to bid.

All this was well before the internet when there wasn't step by step guides and/or blog posts and things like this were never taught you either figured them out on your old or someone you knew was nice enough to tell you. (In the old days it wasn't typical to share info and secrets like it is today..)


Fun fact, in some northern european countries "aa" is sorted last in the alphabet :)


Why stop there? When a site contains the offending ads, push them down to page four of the results. The ads will disappear in a matter of days.


So, punish companies for using AdSense, one of Google's core services? As many have pointed out here, AdSense is a big contributor to these ads. It seems it would be pretty easy to weed out on the AdSense platform, since they have to be bidding on "download" as a keyword to be assigned to that page.


Finally a way for startups to compete with Google, when Google has to move all of their sites (YouTube, Blogger, etc) 4 pages down.


I assumed this is already the case, but it it isn't, it is an awesome idea!


Can't wait until Google has to block websites using AdSense because they themselves served such an ad through a reseller.

...or until they don't and have an Anti-Trust suit on their hands.


I didn't even know that there are ads that don't involve social engineering.


>[Update: Google published this news today on its corporate blog, but this was previously announced earlier this year. We’ve asked Google to clarify why it was republished, if that was in error, or if it represents any changes since the first announcement.]

This was previously discussed at https://news.ycombinator.com/item?id=11032270.


The actual news is this: https://security.googleblog.com/2016/04/improvements-to-safe...

Google's expanded it from just protecting users to also notify the network admin via https://security.googleblog.com/2010/09/safe-browsing-alerts...

(The "notify the AS owner" service existed before, but now it also notifies about social engineering content.)

[/end doing job of reporter who should have done it themselves.]


I'm not saying an ad-blocker IS the solution, but it works on blocking not only ads but making websites faster and safer.


Ad blocking IS the solution. To many many problems.


Well I block ads on my desktop so I'm not really seeing fake "download" buttons that often. On the other end what really bothers me on mobile (using the latest chrome) is ads automatically redirecting me to another site, happens quite regularly when I browse Google news. I don't really know if those ads use an exploit of some sort or if they consider I've clicked the ad when I only tried scrolling the page with my finger but that should clearly be checked. And it happens on well known newspapers websites, not that I was browsing some obscure shady part of the web...


Will they do that on their own sites too ? like youtube or blogger ? because yes, I got plenty of "Your computer is infected by a virus, Please call Microsoft hotline" popups from those.


I don't have Adblock on for Youtube and I've never gotten a popup like that. All of their ads are video ads. Are you sure you don't actually have a virus (that's causing the popups, not due to the message itself)?


The in-video popups (at the bottom, about 20% of the height of the video) very often advertise malware for me, too.


What hypocrites http://imgur.com/3Emyw5y


That's rich, coming from them. When I used mobile apps with ads, the majority seemed to be fake "update battery driver"/"uninstall virus" type nonsense. In flashing red and yellow.


I see this warning in effect on http://kat.cr in Chrome:

  Deceptive site ahead
  
  Attackers on kat.cr may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards).


Since sites like this are so ubiquitous, I wonder if users will see warnings like this so often that they'll start to ignore them and just click "proceed" without thinking.

It's definitely a step forward in the right direction, provided Google Adsense, well, adheres to their own company's guidelines…


This is a good start to solve an old problem. However they need to start filtering out their own ads. I don't know which is easier, catch them before it goes live, or after, but either way... that's something in the right direction.


Why warn? Why not simply drop/block them and notify the ad network/ad buyer?


Because then they’d hurt their own bottom line.


Hmm... I just saw this mess on Youtube today. An "Ads by Google" ad for some malware.

http://i.imgur.com/vQkjZWU.jpg


They count fake download buttons as social engineering. Excellent.


What definition of "social engineering" are you using?


I'd rather my adblocker deal with these instead of my browser.


Most people don't realize that Google's "Safe Browser" sends via Chrome & Firefox the URL of ever single URL you visit to Google; as far as I'm able to tell.



I've seen requests passed to Google, which is how I noticed it in the first place.

This source appears to show at least for downloads the browser is sending data to the API: "From Firefox 32 on, downloads are checked against the local list and a remote list if the local list does not return a hit."

SOURCE: http://www.ghacks.net/2014/07/23/prevent-firefox-sending-dow...


That article ends with a link to https://wiki.mozilla.org/Security/Features/Application_Reput... which contains:

>These lookups are Windows-only, because we rely on signature information in order to suppress remote lookups and signature APIs are only available on Windows. If the binary is unsigned or its signature does not match a known good publisher and the filename ends in a known executable extension, Firefox sends a remote lookup to the application reputation service.

This is more precise than your post including the quote.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: