[32032141]

This is an explicit tool in adwords, believe it or not.

The feature is intended so that you can have a link "to" http://trackersRus.com/ which forwards to http://ebay.com/, without the user seeing that bit of ugly.

It's been used in campaigns for years, I've reported probably hundreds of these distributing malware.

[arbuge]

It appears here that the redirection to the ebay.com destination url is not happening and that the user ends up on a different domain.

That kind of situation is usually detected when ads are entered into the Google Ads* platform for review, with ads then rejected for "destination url mismatch". One thing checked is that the final destination url after all redirects matches what is specified in the ad's final url field.

I suspect the scammers here are somehow faking the destination url for Google's bot checker to pass the Google checks and then serving different destination urls to users who they believe are not Google bots.

* Google Ads is now the correct branded name. No longer called AdWords as in the title.

[amluto]

Google's approach here seems totally wrong. The destination URL should be, exactly, the link as shown. If someone wants to track clicks using a third-party tracker, Google should offer an API for that which does not give the third-party tracker any ability to control the destination -- they have plenty of market power to impose this and, heck, they could even charge a small premium.

Most browsers support a lovely feature where the a tag has a ping attribute, which is intended for more or less this use case.

[dangrossman]

Google already works like this in browsers that support it (most modern ones). The ad is linked to the destination URL with no redirects through any advertiser-controlled domain. A third-party tracking URL can be specified, and it will be pinged in the background using the browser's sendBeacon() function. Any redirects in response to the ping don't affect what webpage the browser displays, so they can't be used to hijack the click.

https://support.google.com/google-ads/answer/7544674?hl=en

[soared]

That’s not the point of the tool - the point of the tool is to turn example.com/cms/category/subcategory/product into the easier to read example.com/product

[alasdair_]

>That’s not the point of the tool - the point of the tool is to turn example.com/cms/category/subcategory/product into the easier to read example.com/product

Then set up an explicit 301 or 302 on example.com to make this happen, don't hide it in the ad-serving layer.

[nullwasamistake]

Wow it seems trivial to trick Google's bots with these links. Have the page redirect until ad is approved, profit?

I'm sure it's easy to find their bot IP's too. Just make a bunch of terrible ads that nobody will click and see who visits the url.

Google needs to abolish this link policy, I don't see how it's enforceable

[dymk]

This is called "cloaking", and it's a cat and mouse game between ad networks and bad actors. You're describing the simplest thing that can be done to cloak a website from an automated checker, but there's far more advanced techniques as well.

[arbuge]

> Have the page redirect until ad is approved, profit?

Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here.

>Google needs to abolish this link policy, I don't see how it's enforceable

Link analytics and link trackers are perfectly legitimate. There are many situations in which it is necessary or desirable to go via intermediate urls before the final destination. Throwing out the baby with the bathwater definitely isn't the answer here.

[seandougall]

> Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here.

What if you randomly redirect, say, 95% of clicks to eBay and take the remaining 5% to your phishing site? Each of Google's periodic checks would only have a 5% chance of catching you, but if you can get enough impressions over eBay's legitimate ads (which is an entirely separate facet to all of this), you'd still get a ton of bites, because so many people get to eBay the way Aunt Sue does.

Better yet, your redirect service could look at the client IP address and only redirect to the phishing site if it matches a known range for, say, Comcast or Charter. Or use it to drill down even farther and set up multiple spear phishing campaigns.

It seems like there's no shortage of ways to abuse this, and for Google to allow redirects without some sort of robust verification that the advertiser owns the destination domain (such as @gnud's certificate-based suggestion in a sibling comment) seems downright negligent, if that is indeed how they operate.

[tomc1985]

Perhaps letting the ad people have a free-for-all with tech is a bad idea. I feel like intermediate URLs should never be OK

[nullwasamistake]

There's other ways to signal ad impressions that aren't a huge security risk. Maybe not quite as convenient, but I doubt banning redirects would have a measurable effect as long as Google gave a deprecation warning.

You can achieve the same thing without redirects using URL parameters or the referer field. Google should ban any destination that doesn't match the sites domain. It's an unfixable security risk that's being actively exploited

[gnud]

I've had this problem on Facebook. I've reported some ads for various (relatively benign) scams for herbals and the like, that use a famous newspaper as 'their url', when they have nothing to do with it.

Facebook closed my report as 'not against ad policy'.

Anyway, this is actually easily fixed without losing tracking/campaign flexibility, by requiring ad orders to be signed by a certificate valid for the target domain, if the URL is different from the displayed one.

[anon4242]

> Facebook closed my report as 'not against ad policy'.

Heh, makes you wonder, what's the ad policy? Sounds like: 'They pay us money, so must be legit?'

[sambe]

If Google enforced that hosts/domains matched, could you not redirect from your own host to the tracking provider (and them back to you)?

[jstanley]

Yes, but most of the people buying ads are not technically competent enough to make this happen.

Google's solution ensures that the marketing people get what they want without the technical people standing in the way.

[stingraycharles]

Wouldn’t a simple solution to this problem be to prove ownership of the domain you want displayed? Why is this not done yet, this is almost standard practice nowadays for many types of services.

[soared]

A lot of companies send ads to amazon.com rather then their own web site.

[__jal]

Yep. This is why you never click on ads, period.

[jordansmithnz]

I wonder why Google doesn’t follow the redirect, and ensure the followed link matches the displayed link?

I get that there’s workarounds like changing the redirect after Google checks it, but there’s solutions to this too (like running checks every so often to ensure the link redirects to the same domain).

[boomlinde]

Possibly the checks are identifiable by User-agent, Referer, client address, timing etc.

For this purpose there's a lot of room for false positives. It doesn't matter if some actual users actually get redirected to ebay.