Google, Microsoft Ads Link to Malware

Dennis Faas's picture

According to security firm Armorize Technologies, both Google and Microsoft ad systems recently linked to web sites containing malicious software.

Once an infected link is clicked, Internet Explorer automatically installs bogus software that claims the user's PC is infected, requiring payment to remove the alleged problems.

Santa Clara based security firm Armorize Technologies says that the bogus links appeared on banner ads provided through DoubleClick (owned by Google) and MSN (Microsoft). The ads did not appear on Google or Bing's search results pages, but rather on third-party websites that had sold the ad space via Google and Microsoft.

Links Exploit Microsoft Internet Explorer

The malicious links exploited security flaws in Internet Explorer and automatically installed a bogus scareware application named "HDD Plus."

Posing as legitimate security scanning software, the bogus application claims a user's computer is infected or has serious technical issues, and requests a full (paid) version of the software to remove the alleged infections. (Source:

Scammers Use Credit Card Double-Whammy

Many of the scams which operate online in a similar manner often use the double-dip principle: as well as getting the payment for a bogus upgrade, the scamsters behind the dupe also harvest credit card details of victims, though it's not known if this is the case with this specific piece of scareware.

Malware Spread Likely Due to Oversight

The bogus links were detected by Armorizes' security service, HackAlert.

At first, the security research team believed that the bogus links were coming from a legitimate ad marketing company AdShuffle; however, further examination revealed that domain name was "" (note the extra 'f'').

That confusion looks to be the most likely reason that the ads were verified as "OK" and passed onto both Google and Microsoft's ad networks, though at this point it's speculative. An automated and computerized verification would have picked up the deliberate misspelling of the domain name, which suggests that the scammers running the bogus links succeeded in fooling a human ad representative.

HDD Plus, Others Likely to Continue Spreading

Armorize says it was "very surprised and impressed with the speed that DoubleClick acted" after being informed of the bogus ads. (Source: That said, the scam itself has in no way been eradicated and is expected to continue through the holidays using other ad networks and bogus websites.

Rate this article: 
No votes yet