At some point, most people have had some sort of encounter with internet scams, viruses, spyware or other security problems. Hackers and scam artists are a pervasive reality in today’s world and making assumptions about security is unwise. A pay per click account makes an attractive target to a technically savvy criminal and gaining access to someone’s account allows them to promote their schemes at someone else’s expense.
Originally trained in Network Security, I have always taken such
precautions very seriously and now even more so, since a recent
fraudulent act affected one of our client’s accounts.
Early this
summer I arrived at the office on a Monday morning and proceeded to
check my weekend mail. Two emails caught my attention right away. The
first from AdWords, informing us that the client’s credit card was
declined and the second, from the client asking ” What is the campaign
“Qwasde” – Campaign #1″?
Upon reading that came the realization
that this account had been hacked. This was further confirmed by a
review of the account’s recent activity. I discovered that on the
previous Friday someone had created this new, innocuously named
Campaign #1 with a daily budget of $7000. It contained only the single
“Qwasde” ad group, with a single ad:
No doubt this was intended to phish for bank account details of anyone unwisely clicking on this ad.
This
hacker was pretty slick. The whole scam was set up late in the day on
Friday, when it was less likely to be detected. The domain the ad was
directed at was registered in Australia to a “resident” of New Jersey.
The website was put up on Friday and gone by Monday morning and in 2
days the ad generated $13,000 in click charges.
I immediately
called Google and an investigation was initiated. They agreed this
looked like fraudulent activity and promised to contact us with their
investigation results within a few days.
Concerned about the
means by which this person gained access, I checked my security for any
indications of a breach. Finding nothing unusual in my own logs, I then
contacted the client with instructions for locking down and cleaning
his computer system, advising him to change any sensitive passwords in
case his system was infected.
Google got back to us a couple of
days later confirming the results and promising to refund the client’s
money. This was good news, as it appeared the fallout from this would
be limited to a loss of only a week or so in the client’s Google
marketing initiative. In reality though, this had a far greater impact.
According
to Google, the account needs to remain inactive until the refund
process reaches completion. This took place nearly 2 months ago and
still there is no sign of the refund. The account is still frozen.
Google has no ETA on completion of this process; apparently their
refund department has a huge backlog, due to the numerous email
phishing scams that keep cropping up.
We still haven’t figured
out how the breach occurred. For my part, I think it’s possible the
client inadvertently became a victim of the phishing scam.
This scam is similar in some respects to the Paypal phishing scam
of 2 years ago. It’s pretty slick and can easily fool the uninformed.
In fact, another of our clients with an AdWords account received an
email some months ago asking me what to do with it and I had them
forward a copy of the email to me. Thankfully, they hadn’t clicked on
the link, as it was indeed one of these scams.
Here is the email they had received:
—–Original Message—–
From: Google AdWords [mailto:adwords-noreply@google.com]
Sent: Sunday, May 25, 2008 4:49 PM
To: xxxxxxxxxxx
Subject: Google AdWords Account Verification Email
Dear Google AdWords customer!
In order to confirm your contact details, please click the link below:
Google AdWords Form
This should take you directly to the Google AdWords Form.
Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.
Sincerely,
The Google AdWords Team
————————
This
particular scam differs from most emails of its kind because it looks
like a legitimate AdWords support email. Also it lacks the spelling and
grammatical errors common to spam n’ scam emails.
There is a tell tale flaw though:
In the original email if you
mouse over the link, you would see it is not actually pointing to
google.com but rather to google.com.adwdl.org.uk, a completely
different domain and unrelated to Google.
Other email variations
report imminent account closure unless account details are verified.
Even if you don’t provide account details, just following the link can
expose your system to malicious software.
Tips to Protect your account
Here
are some guidelines to help keep your account secure. Bear in mind this
is best practice for security of any sensitive financial, business or
personal information, not just AdWords.
- 1. Google will NEVER
ask for your account information by email; they won’t even ask for your
password on the phone. All they ever ask for whenever I phone them is
the 10 digit account number. They don’t need any other information to
open up the account for viewing. Most legitimate enterprises don’t need
your login details, so if someone requests them, be very cautious. - If
you receive notification about something you didn’t initiate, likely
this is about something not to your benefit. i.e.: receiving a
confirmation of a password change when you didn’t change your password,
etc. - Always use security solutions and keep them up to
date. Virus protection, firewall and spyware protection are vital for
any system that connects to the internet. - Use strong
passwords. Weak passwords, while easy to remember, are also very easy
for password cracking programs. A strong password contains both
alphabetical and numeric characters and utilizes capitalization, length
and special characters. As well, stronger passwords don’t use
recognizable or easy to guess words.
Examples: lame password =
your name, password (the actual word) or 123456; weak password = date
of birth, newgirl22, ItsaSecret, p@$$word; strong password = tP%m34!pX - Use
different passwords. If you use the same password because it’s easier
to remember, then everything you do becomes compromised if any forums
or sites you use become breached. I have hundreds of logins and
passwords, so I use RoboForm to securely store them. This type of program can also reduce vulnerability to keylogger type spyware. - Keep
the number of account users with administrative access to the minimum
necessary. The more people who have access, the greater the chance of
an information leak. - Turning your computer off or
disconnecting from the internet when you are done using it greatly
reduces the chance of bad things happening unnoticed. - Don’t
send login or password information by insecure means such as email or
instant messaging. Generally if I have to pass on that sort of info, I
always do it by phone. - Monitor your account regularly;
particularly at the end of the week and take random peeks on the
weekends. It only takes a minute to log on and check for abnormal
account activity.
The most important thing to remember is that
there are people out there who will rob you blind if you leave yourself
open, so a modicum of paranoia along with a bit of common sense will go
a long way to saving yourself some real hassle.
Tim Rule specializes in Pay-Per-Click account management at StepForth Web Marketing Inc, a web marketing company founded in 1997 and based in Victoria, British Columbia, Canada. StepForth provides cutting-edge web marketing services that provide highly successful, targeted results for its clientele. Tim Rule is accredited in Google Adwords and a Yahoo Search Marketing Ambassador.
Read other articles by Tim Rule
