Google’s fight against malicious adverts

Graham Cluley
Graham Cluley
@[email protected]

Virus Bulletin 2009 conference
When much of the world using Google umpteen times a day as their window to the web, it’s important that dodgy links appearing as search results are kept to a minimum.

Eric Davis, who heads up the anti-malvertising team at Google, has just given the keynote address on the opening day of the Virus Bulletin conference in Geneva.

Malvertising is the word that some are using to describe “malware+advertising”, and typically involves criminals exploiting ad networks to their financial advantage. We recently saw a scareware campaign being distributed via malicious adverts on the New York Times website, for instance.

As Davis points out, most malware ads are made with Flash. That’s not surprising – after all, most adverts are made with Flash.

Sign up to our free newsletter.
Security news, advice, and tips.

And criminals also exploit known brands with their malicious adverts – creating dopplegangers of established firms or creating adverts that look respectable.

However, a bogus advert doesn’t have to use Flash, and it doesn’t have to exploit a third-party ad network from the site it’s appearing on.

TechCrunch reported yesterday that users who Googled for “Firefox” were presented with a sponsored ad that posed as a link to Mozilla’s site, but in fact directed users to a third-party site that tries to fool users into paying $2.50 per month for what should be a free copy of the browser.

Bad Firefox advert on Google. Source: TechCrunch

Although the ad looks like it will take you to Mozilla’s official Firefox website at, it actually takes you to

A quick WhoIs lookup suggests that it’s unlikely that this is an official Mozilla website (the registrant claims to be based in Tibet, and it seems the site was only created two days ago). registration information

Furthermore, the site is abusing the Mozilla brand and Firefox name to try and trick surfers out of cash for “24/7 Expert Customer Support”.

Hmm.. with so many millions of Firefox users around the world, I would think it wouldn’t be that hard to get free tech support from fellow surfers if you were having difficulties with the program. That should have rung alarm bells, but because the ad looks to all intent and purposes to come from Mozilla and has been given the thumbs-up from Google it may have fooled some.

My guess is that when the shysters bought the sponsored ad they initially did link it to the real Mozilla site (which would probably have passed by Google’s standard checks without any eyebrows being raised) but at some point the destination URL was switched over to the bogus webpage.

I suppose we should be grateful that the bogus webpage didn’t try and install malware too.

The challenge of malicious adverts is one that is affecting more and more websites, and it’s clear that right now a strong enough way of pre-filtering them before publication simply isn’t available.

Google has, however, set up a website – – which is designed to assist websites using ad networks conduct quick background checks, that may find evidence of possible attempts to distribute malware through advertising.

In the meantime, as the advertising industry investigates with the computer security industry how it might find a better way to handle this problem, you would be wise to keep your wits about you and ensure that you have up-to-date security on your computer checking every webpage you visit for dangerous code and links.

Update: The offending ad has been removed by Google for violating a number of policies.

* Image source: TechCrunch

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.