[seandougall]

> Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here.

What if you randomly redirect, say, 95% of clicks to eBay and take the remaining 5% to your phishing site? Each of Google's periodic checks would only have a 5% chance of catching you, but if you can get enough impressions over eBay's legitimate ads (which is an entirely separate facet to all of this), you'd still get a ton of bites, because so many people get to eBay the way Aunt Sue does.

Better yet, your redirect service could look at the client IP address and only redirect to the phishing site if it matches a known range for, say, Comcast or Charter. Or use it to drill down even farther and set up multiple spear phishing campaigns.

It seems like there's no shortage of ways to abuse this, and for Google to allow redirects without some sort of robust verification that the advertiser owns the destination domain (such as @gnud's certificate-based suggestion in a sibling comment) seems downright negligent, if that is indeed how they operate.