|
|
|
|
|
|
by arbuge
2604 days ago
|
|
|
> Have the page redirect until ad is approved, profit? Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here. >Google needs to abolish this link policy, I don't see how it's enforceable Link analytics and link trackers are perfectly legitimate. There are many situations in which it is necessary or desirable to go via intermediate urls before the final destination. Throwing out the baby with the bathwater definitely isn't the answer here. |
|
|
What if you randomly redirect, say, 95% of clicks to eBay and take the remaining 5% to your phishing site? Each of Google's periodic checks would only have a 5% chance of catching you, but if you can get enough impressions over eBay's legitimate ads (which is an entirely separate facet to all of this), you'd still get a ton of bites, because so many people get to eBay the way Aunt Sue does.
Better yet, your redirect service could look at the client IP address and only redirect to the phishing site if it matches a known range for, say, Comcast or Charter. Or use it to drill down even farther and set up multiple spear phishing campaigns.
It seems like there's no shortage of ways to abuse this, and for Google to allow redirects without some sort of robust verification that the advertiser owns the destination domain (such as @gnud's certificate-based suggestion in a sibling comment) seems downright negligent, if that is indeed how they operate.