Google will warn users when sites contain social engineering ads(techcrunch.com) |
Google will warn users when sites contain social engineering ads(techcrunch.com) |
These are actively being served through Google Adsense, right now.
Here's a few example, live sites, where I see "Download" buttons in an ad, in a context that would be confusing.
http://www.getpaint.net/index.html
I only see them when using chrome on Android these days. I generally use Firefox with an ad blocker on both windows and Android to combat it. I disable on some sites to support them, donate where I can, subscribe to YouTube red/Google music, etc to be sure I support content.
Are you sure they are ads, and not the site redirecting you based on your useragent? I've had some sites that have apps do that, but I've never had an add automatically direct me to the Play store before.
It's never "weird" for a company to choose not to attack its own revenue base.
There should be a button to report them. Please report them.
Edit: I found the feedback form: https://support.google.com/adwords/troubleshooter/4578507
> Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
Honest question: When you take a look at the "manipulation of people into divulging confidential information" part, wouldn't this, by definition, incriminate the vast majority of the modern ("Internet 2.0") web, WRT unremovable-cookies, tracking, "analytics", and so forth?
I fully admit there is a difference between downloading a random AdobeFlashPlayerUpdate.exe or MacKeeperApp.dmg from a malicious site and having all your personal data and information about you sent off to a 3rd party company......but where do we(or Google, here) draw the line?
Just last week, Facebook started gleaning contacts from my phone and injecting them into the "People you may know" page - these were people I did NOT want on my Facebook - ranging from business contacts to tinder matches. I knew this was (sadly) standard behavior for users of the Facebook App, or users of "Facebook for Mobile", but I have never given my phone number to facebook, not once, and I only access it via a mobile browser.
Is it social engineering to see my recent searches in the Amazon app on mobile reposted on Facebook on my desktop Web browser?
[0]: https://en.wikipedia.org/wiki/Social_engineering_(security)
And then they become that problem by taking on flash ads a few years ago.
I mean, the last thing I want out of ads is targeting. Nobody needs to tell me to buy things I already like.
Yesterday I just saw a banner ad on a YouTube music video - from Google AdWords - that was alerting me I may need some "Drivers" for my machine and I should get them from some suspicious company called TechSoft or RealSoft or something like that. It was the "dying car alarm drops a sick beat" extended remix if that's of any interest.
I did take a screenshot but don't have it handy right now.
And they can punish other people's websites for having malicious ads, including Google-sourced malicious ads, because that totally solves the problem!
This comment was thick with sarcasm.
DoubleClick certainly is not the worst offender of this, but they are the biggest player. Is Google going to block/penalize the sites of their own customers? That would feel weird. Is Google going to block/penalize the sites of their competitors? That would also feel weird.
In that model you got a free listing in a category or two but had to pay to get either additional listings (in other categories) or for an advertisement (of various sizes) in order to get phone calls. The rationale (in addition to making money obviously) was that there had to be a way to determine the serious people trying to hawk a particular or good or service from the casual players. The thinking was that if a person took out a listing or an ad saying they "sold recumbent bicycles" they must be doing that because they were willing to pay to say so. So the theory is if you pay for say something you must be fairly serious about what you are saying (in terms of things you are selling).
It showed people what they wanted to see, while other companies were focusing on what they were paid to show.
...or until they don't and have an Anti-Trust suit on their hands.
This was previously discussed at https://news.ycombinator.com/item?id=11032270.
Google's expanded it from just protecting users to also notify the network admin via https://security.googleblog.com/2010/09/safe-browsing-alerts...
(The "notify the AS owner" service existed before, but now it also notifies about social engineering content.)
[/end doing job of reporter who should have done it themselves.]
Deceptive site ahead
Attackers on kat.cr may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards).It's definitely a step forward in the right direction, provided Google Adsense, well, adheres to their own company's guidelines…
This source appears to show at least for downloads the browser is sending data to the API: "From Firefox 32 on, downloads are checked against the local list and a remote list if the local list does not return a hit."
SOURCE: http://www.ghacks.net/2014/07/23/prevent-firefox-sending-dow...
Wow. Just wow. That seems like such a horrifically bad idea. The worlds represented by FB and Tinder are almost diametrically opposed and I imagine that people who use both would never want any mixing. We are one FB bug away from some serious embarrassment.
As developers this isn't hard to implement, but it is a bit extreme.
There is also the question of business contacts, whom I have only had connection with via Voice Call and Text message (no external app and permissions given), showing up in my feed. Of course, this could be permission given on THEIR side that is reciprocating on my end, but again, this implementation is also extreme (ly possible).
Doubleclick is actually a suite of different applications.
I suppose you mean DFP (Doubleclick for Publishers). This is a google product but it doesn't necessarily display ads from Google Network. With DFP you can show ads from Google but also other networks or even your own negotiated ads. So in other words even though it's a Google Product it's designed to give publishers freedom on which ads will be displayed. If you use DFP to only show ads from Google Network such as adSense you can rest assured these are reviewed by Google for such social engineering tactics.
I suppose they might block sites that use DFP to serve ads from other networks they can't vet and don't go through good review and were detected to contain bad Ads.
Not all ads on adSense are reviewed. Or, if they are, the reviewers are doing a poor job. Locally, and on mobile devices, I get adSense ads like: "Your device has a virus. Click here to download our anti-virus software for 4.99$." Then the page shows the "404 broken robot"-graphic (it is an ad on adSense network, which spoofs Google, and scares you into downloading a paid, probably worthless, virus-scanner).
I've reported numerous ads to Google over the years: Some competitors who were not playing by the rules, but also redirects to porn websites and the (locally) infamous: Your Whatsapp has expired! Enter your phone number, so we can mine that, and charge you weekly for a fake app.
> I suppose they might block sites that use DFP to serve ads from other networks they can't vet and don't go through good review and were detected to contain bad Ads.
Likely, but this seems weird (fix/penalize DFP partner networks first, don't penalize your users for using your own product). Also from a competitor sense: I am all for protection of users (use an adblocker!), but it does not feel right that a company with the resources of Google, finally manages to rid their own network of these malicious ads (let's say for sake of argument they have), then immediately puts the ban-hammer on their less resourceful competitor networks. Perhaps that is a side-effect of owning both analytics, the ad networks, and the browser people use to view those ads.
It's still happening now and then, so Google is fixing the problem in the wrong place.
>These lookups are Windows-only, because we rely on signature information in order to suppress remote lookups and signature APIs are only available on Windows. If the binary is unsigned or its signature does not match a known good publisher and the filename ends in a known executable extension, Firefox sends a remote lookup to the application reputation service.
This is more precise than your post including the quote.
All this was well before the internet when there wasn't step by step guides and/or blog posts and things like this were never taught you either figured them out on your old or someone you knew was nice enough to tell you. (In the old days it wasn't typical to share info and secrets like it is today..)
Google may also share information from SafeBrowsing with other companies, so they can opt to fix their stuff.
Also that what I may view as terrible ads, Google sees as companies gradually finding the razorsharp edge of their program policies.
For obvious reasons, we do not hear (or see) anything about the successful efforts to keep scam and spam away from their networks.
Tinder (as of my last login last year) displays an user liked pages along with their interests and then only their first name so that there is some "privacy".
I used to put all that data through Facebook Graph search and it would get me their full name and contact information, which in turn would lead me to their email address, which would lead me to their addresses or phone number.
Fun, fun time. It's a good thing that I am not the kind of person who would abuse of such things.
> We are one FB bug away from some serious embarrassment.
FB has been squirreling away phone and credit card numbers for awhile, along with DoBs, family members, birth cities, and pet names (i.e. "answers to common security challenge questions"). I wouldn't be surprised if a lot of this information has already been stolen, and is being used for things worth more than a bit of embarrassment.
http://i.imgur.com/AauOwVB.png
(This is from a site which detects adblockers, and begs you to turn it off, because it's killing their business model)
But now https://i.imgur.com/AauOwVB.png it works. Strange.
Ads like the paint.net ad runs afoul of
> Mimicking site content, news articles, or text ads
> Google doesn't allow ads that mimic publisher content or layout, or news articles and features. Ads may also not contain screenshots of Google AdWords text ads or otherwise simulate an AdWords text ad in any way.
https://support.google.com/adwordspolicy/answer/176108?hl=en
Clicking on the ad I was greeted with a landing page, with tiny gray jpeg letters telling me that this free game service costs only 5 Euro a week (automatic renewal). The company behind it, Mobster Ltd. leads me to a dead end on Cyprus and a whole lot of internet complaints.
So please do not click that link or Google may be forced to block imgur. Sorry.
Some of the "AI" startups that mix automated intelligence with human fallback have probably got it much more right: Sometimes, you need people.
Why is the action to flag and penalize the site? Why would the action not be "google stops showing that ad"?
I don't find this kind of result surprising at all, particularly given how big Google is. If the site safety team is different from the don't-show-evil-ads team, it's almost an inevitable result, at least, in some point in the evolution of the system(s) and processes involved. It does point out some improvements that are needed.
That same scraper that's flagging the site can see the adsense block, see that image url for the offending image is "googlesyndication.com/some/image", etc. As far as I can tell, enough info to map directly back to the entity paying for the ad to show.