I received an email this morning notifying me of a new email being added to my paypal account. I recognized it as a normal fishing spam but it was interesting because the destination url was a google domain. Looking at the url showed that the spammer was redirecting the clicks through the google adwords system to his server to capture the mark. The redirection destination was passed via a paramater called “addurl” and had a strange destination. The destination in this case was a bare IP and an wacky port, which I thought was odd because I didn’t think google would approve an ad to just an IP. On a hunch that they didn’t actually approve of it, I wondered…
Can you redirect google ads anywhere you want ?
To test this idea.. I decided to substitute several different destinations in the “adurl” parameter. After successfully sending clicks to ebay, yahoo, and threadwatch.org it was apparent that you could 302 traffic any destination you like via the google domain.
In the text box below I included the url that was sent to me.
If you copy and replace the {ADD-A-COMPLETE-URL-HERE} with a url then you can see exactly what I describe.
Some other observations:
- Requests made without the parameters “ai” or “sa=l” result in a http 400 response.
- A cookie called “Conversion” is set when you redirect to the destination.
So the answer is yes.. you can redirect google adwords ads anywhere you want by changing the “adurl” parameter.
I then wanted to know the next obvious question.. Did the spammer use his or her own ad to do this or
Can any advertisement be redirected like this?
To test this I went to google and performed a search for several items generating adwors advertisements on the right of the search results. I then copied the url for them and observed that they had the seame structure as the link sent to me in my spam email. I then replaced the “adurl” parameter with my own destination and sure enough my browser was 302′ed to the destination of my choosing.
So the answer is… yes
Finally now we know that anyone can be redirected anywhere using any adwords advertisement..
Who gets charged for the click ?
To find to I set up my own ad campaign using an obscure combination of words to ensure only I would be clicking of the advertisement. I then waited till the ad showed in the serps, copied the url, and changed the landing page to threadwatch.org. Clicking through five times to see what happened. Given the current clickfraud controversy it will be interesting to see the results. So far there have been no charges ( its been about a little over an hour).
Conclusions
Google needs to start checking its adurl parameter more closely to make sure that it matches the target domain or just remove the parameter altogether.
Like it? Subscribe to the blog if you haven't already
Related Posts
-
Using Google Adwords to avoid spam filters - Part 2
Adwords is Rigged
Using Gmail as a spam filter on Cpanel
Ad Blocking as an Advertiser
WOW. That is incredible. Please keep us updated on the charges situation.
I think they are smart enough to filter out your ip on your own ads. If you have a dial-up account try a click that way. Proxies should work but are still open for debate. If you want to email me the phrase I’ll try and register a valid click for you.
[...] This post is a follow up to my last post about a method of using adwords in email spam. [...]
[...] If this is what someone I met at SES China means about getting a link from Google.com, I’m not impressed :) I know it’s a redirect, but let’s just test if any of the search engines pick it up as a link. [...]
This trick also worked with overture back in the day..
very black..
I think Google has nixed this now- it doesn’t seem to be working when I set up my own test account. No charges as of now.
The Google Support Team will be solved the bug very soon…
It has been sorted it does not work