At some point, most people have had some sort of encounter with internet scams, viruses, spyware or other security problems. Hackers and scam artists are a pervasive reality in today’s world and making assumptions about security is unwise. A pay per click account makes an attractive target to a technically savvy criminal and gaining access to someone’s account allows them to promote their schemes at someone else’s expense.

Originally trained in Network Security, I have always taken such precautions very seriously and now even more so, since a recent fraudulent act affected one of our client’s accounts.

Early this summer I arrived at the office on a Monday morning and proceeded to check my weekend mail. Two emails caught my attention right away. The first from AdWords, informing us that the client’s credit card was declined and the second, from the client asking ” What is the campaign “Qwasde” – Campaign #1″?

Upon reading that came the realization that this account had been hacked. This was further confirmed by a review of the account’s recent activity. I discovered that on the previous Friday someone had created this new, innocuously named Campaign #1 with a daily budget of $7000. It contained only the single “Qwasde” ad group, with a single ad:

No doubt this was intended to phish for bank account details of anyone unwisely clicking on this ad.

This hacker was pretty slick. The whole scam was set up late in the day on Friday, when it was less likely to be detected. The domain the ad was directed at was registered in Australia to a “resident” of New Jersey. The website was put up on Friday and gone by Monday morning and in 2 days the ad generated $13,000 in click charges.

I immediately called Google and an investigation was initiated. They agreed this looked like fraudulent activity and promised to contact us with their investigation results within a few days.

Concerned about the means by which this person gained access, I checked my security for any indications of a breach. Finding nothing unusual in my own logs, I then contacted the client with instructions for locking down and cleaning his computer system, advising him to change any sensitive passwords in case his system was infected.

Google got back to us a couple of days later confirming the results and promising to refund the client’s money. This was good news, as it appeared the fallout from this would be limited to a loss of only a week or so in the client’s Google marketing initiative. In reality though, this had a far greater impact.

According to Google, the account needs to remain inactive until the refund process reaches completion. This took place nearly 2 months ago and still there is no sign of the refund. The account is still frozen. Google has no ETA on completion of this process; apparently their refund department has a huge backlog, due to the numerous email phishing scams that keep cropping up.

We still haven’t figured out how the breach occurred. For my part, I think it’s possible the client inadvertently became a victim of the phishing scam.

This scam is similar in some respects to the Paypal phishing scam of 2 years ago. It’s pretty slick and can easily fool the uninformed. In fact, another of our clients with an AdWords account received an email some months ago asking me what to do with it and I had them forward a copy of the email to me. Thankfully, they hadn’t clicked on the link, as it was indeed one of these scams.

Here is the email they had received:

—–Original Message—–

From: Google AdWords [mailto:adwords-noreply@google.com]
Sent: Sunday, May 25, 2008 4:49 PM

To: xxxxxxxxxxx

Subject: Google AdWords Account Verification Email

Dear Google AdWords customer!

In order to confirm your contact details, please click the link below:

Google AdWords Form

This should take you directly to the Google AdWords Form.

Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.

Sincerely,
The Google AdWords Team
————————

This particular scam differs from most emails of its kind because it looks like a legitimate AdWords support email. Also it lacks the spelling and grammatical errors common to spam n’ scam emails.

There is a tell tale flaw though:

In the original email if you mouse over the link, you would see it is not actually pointing to google.com but rather to google.com.adwdl.org.uk, a completely different domain and unrelated to Google.

Other email variations report imminent account closure unless account details are verified. Even if you don’t provide account details, just following the link can expose your system to malicious software.

Tips to Protect your account

Here are some guidelines to help keep your account secure. Bear in mind this is best practice for security of any sensitive financial, business or personal information, not just AdWords.

  1. 1. Google will NEVER ask for your account information by email; they won’t even ask for your password on the phone. All they ever ask for whenever I phone them is the 10 digit account number. They don’t need any other information to open up the account for viewing. Most legitimate enterprises don’t need your login details, so if someone requests them, be very cautious.
  2. If you receive notification about something you didn’t initiate, likely this is about something not to your benefit. i.e.: receiving a confirmation of a password change when you didn’t change your password, etc.
  3. Always use security solutions and keep them up to date. Virus protection, firewall and spyware protection are vital for any system that connects to the internet.
  4. Use strong passwords. Weak passwords, while easy to remember, are also very easy for password cracking programs. A strong password contains both alphabetical and numeric characters and utilizes capitalization, length and special characters. As well, stronger passwords don’t use recognizable or easy to guess words.Examples: lame password = your name, password (the actual word) or 123456; weak password = date of birth, newgirl22, ItsaSecret, p@$$word; strong password = tP%m34!pX
  5. Use different passwords. If you use the same password because it’s easier to remember, then everything you do becomes compromised if any forums or sites you use become breached. I have hundreds of logins and passwords, so I use RoboForm to securely store them. This type of program can also reduce vulnerability to keylogger type spyware.
  6. Keep the number of account users with administrative access to the minimum necessary. The more people who have access, the greater the chance of an information leak.
  7. Turning your computer off or disconnecting from the internet when you are done using it greatly reduces the chance of bad things happening unnoticed.
  8. Don’t send login or password information by insecure means such as email or instant messaging. Generally if I have to pass on that sort of info, I always do it by phone.
  9. Monitor your account regularly; particularly at the end of the week and take random peeks on the weekends. It only takes a minute to log on and check for abnormal account activity.

The most important thing to remember is that there are people out there who will rob you blind if you leave yourself open, so a modicum of paranoia along with a bit of common sense will go a long way to saving yourself some real hassle.

by Tim Rule, PPC Specialist, StepForth Web Marketing Inc.