[HN Gopher] Google Ad Disguising Itself as www.gimp.org
___________________________________________________________________
Google Ad Disguising Itself as www.gimp.org
Author : tosh
Score : 408 points
Date : 2022-10-29 14:20 UTC (8 hours ago)
(HTM) web link (www.reddit.com)
(TXT) w3m dump (www.reddit.com)
| hedora wrote:
| In this particular case, I suspect a trademark complaint against
| Google would make sense.
|
| Google misrepresented the ad as the product of the Gimp project,
| and were paid as a result. They usually use an "obeying the law
| would not scale" type argument in court, but that would clearly
| be bullshit in this case. They have a business relationship with
| the ad buyer, and should have verified their affiliation with
| gimp.org. Also, a simple string match on the URL would expose the
| attempted fraud on Google's end.
|
| I'm not sure how to check if Gimp is a registered trademark in
| the US. This page kind of implies it might be (or that the author
| of the page does not understand trademarks):
|
| https://www.gimp.org/about/selling.html
| echelon wrote:
| All ad companies need to respect trademarks and allow opt-out
| of reserved terms as a first class feature.
|
| It's disgusting that a competitor can buy an ad for your brand
| on Google, Apple, etc. and place their result before yours.
| This is especially harmful for new, up-and-coming companies.
|
| I've had competitors buy ads in our name before. It's a
| shameful tactic.
|
| It's beyond unfair when these monopoly-like ad companies spent
| hundreds of billions to co-opt the web and personal mobile
| computing and shackle us to this fate. It's the nightmare
| Microsoft and AOL once envisioned, yet now it's actually come
| to pass.
|
| We already pay for domains and trademarks. We shouldn't have to
| keep paying protection money to defend ourselves when we're
| already having to jump through the platforms' obtuse rules and
| pay their outrageous taxes.
|
| Trademarks should be sacred, and no company should be able to
| profit off of yours.
| BLKNSLVR wrote:
| > "obeying the law would not scale"
|
| How can anyone argue against blocking ads when this argument is
| used literally in court as explanation for why they are unable
| to police the ads they're putting on their own platform?
| mcv wrote:
| Having the actual url be completely different from the
| displayed url simply shouldn't be possible. Allowing that
| invites scams like these. At the very least, they need to be
| the same domain.
| RamRodification wrote:
| Yes! This is crazy to me. How can this not be a thing that
| has already been discovered and instantly fixed?
| amelius wrote:
| How much money should they bring to successfully fight this
| case?
| bogeholm wrote:
| > "obeying the law would not scale"
|
| I'd love to see them trying that one out in an EU courtroom
| amscanne wrote:
| > Also, a simple string match on the URL would expose the
| attempted fraud on Google's end.
|
| I feel like your general argument is proving too much: Google
| clearly indicated this is an Ad, and you couldn't reasonably
| hold Google or any other publisher of ads responsible for every
| claim made in every ad. However, I agree that the domain part
| is troubling, and even seems like a potentially misleading
| representation by Google -- I'm surprised you're able to set
| this arbitrarily. However, as discussed in a thread below,
| maybe you can't and this is exploiting an open redirect in
| gimp.org? I think some details would be needed before you can
| jump to assigning blame so quickly.
| dist1ll wrote:
| > obeying the law would not scale
|
| I don't know why, but that sentence terrifies me. It's like the
| silicon valley version of a dystopia.
| nine_k wrote:
| There is a whole genre related to this kind of dystopias,
| cyberpunk. Its predictions from 1980s and 1990s turn out to
| be increasingly true, sometimes in the grim parts, too.
| somat wrote:
| It is the reason for the existence of the dmca.
|
| Now I take a rather dim view of the dmca. But the general
| concept is to move enforcement of the law out of the normal
| slow bureaucratic channels. Now enforcement is handled
| directly by the injured party. Much more efficient.
|
| If you immediately see how ripe for abuse this system is.
| congratulations. you are now more far sighted than the
| originators of this system.
|
| Now to it's credit, the dmca limits the enforcement(I think,
| I have never read the law) to a formalized version of "if you
| stop doing it we won't press charges" however this is still
| widely abused.
| j16sdiz wrote:
| > I don't know why, but that sentence terrifies me. It's like
| the silicon valley version of a dystopia.
|
| because it is true.
|
| We have seen the same pattern in copyright infringement
| handling, spam or fake news control, user support...
| MereInterest wrote:
| It may be true, but why a judge or jury would accept it as
| justification is beyond me. "My business model requires me
| to break the law." is a condemnation of the business model,
| not a justification.
| Aerroon wrote:
| Because if you tried to actually police this then
| everything in life would grind to a halt. It would be
| like expecting the government to deal with every single
| crime.
|
| It's particularly problematic when a business is
| providing a platform for other entities to post a
| message. We don't hold the post office liable for
| transferring copyrighted/trademarked content, do we?
| Nextgrid wrote:
| The problem is that the legal system is flawed in such a
| way that the wronged parties rarely have the time &
| resources needed to actually put the issue in front of a
| judge. If it actually does get in front of a judge (in
| reality it would get settled out of court if it actually
| gets anywhere close) I would indeed expect their argument
| to fall apart.
|
| This is something that ideally the government (its
| consumer protection branches like the FTC) should be
| policing proactively, filing suits preemptively against
| systems that are trivially exploitable.
| MereInterest wrote:
| Definitely agreed. I think it also stems from laws that
| define explicit and measurable harm as the only types of
| harm. For false advertising and fraud, it usually
| requires proving that they was financial harm done as the
| result of the false statements. Because creating an
| environment in which fraud is cheap and easy doesn't
| count as "harm". Because false advertising doesn't count
| as "harm" in itself, even as imposes the burden of
| scrutinizing all claims from previously trustworthy
| sources.
| ISL wrote:
| Agreed -- there's also little recourse for many forms of
| online fraud, as there's no capacity for law-enforcement
| to investigate at scale.
| henrydark wrote:
| Some laws were put into place before the current internet
| scale was imagined and would probably not be made today
| harvey9 wrote:
| That's still the exact same dystopian take: complying with
| the law is too hard for Google so the law should change to
| the detriment of smaller entities.
| sweetbitter wrote:
| Then your business is not actually scalable.
| plasticchris wrote:
| So it's a valid defense to say complying with the law is
| hard, that's why I didn't?
|
| Shouldn't the right course be to change the law before
| taking such actions?
| kodah wrote:
| It's absolute BS. If a citizen were to come into a court
| and were to express the quantity of state and federal
| laws, those which compete with each other, and beg the
| court forgiveness based on, "There's so many laws I can't
| possibly be made to keep track of them not to mention the
| laws that are no longer actively exercised in courts"
| they'd laugh at you.
|
| A corporation like Google does it and the court agrees.
| Corporations are not people in the worst way possible.
| MereInterest wrote:
| Which is also weird, because it is a far better reason
| for an individual than for a corporation. An individual
| is limited to their own time and expertise, whereas a
| corporation is only limited by their willingness to hire
| additional workers and expertise.
| nonasktell wrote:
| it depends on your lawyer and on your face/outfit really
| dbcurtis wrote:
| Indeed. Saying: "Obeying the law doesn't scale." is an
| admission of guilt with pre-meditated intent to break the
| law. I keep hoping the courts will drive that point home
| at some point.
| pessimizer wrote:
| If you lead with the big ask, you frame the entire
| conversation around it. One should always start one's
| argument with question-begging, and disqualify people who
| don't accept the question begging as not serious about
| having a discussion.
|
| "The laws are impossible to follow at scale. How do we
| fix that."
|
| Or as a thinktank feeds it to a speechwriter to a
| politician: "Our antiquated laws have failed to keep up
| with the speed of technological development, and are now
| becoming an active handicap on progress. We need a set of
| laws that are as forward-thinking as our best selves hope
| to be, and a set of legislators that are responsive to
| the energy and creativity of the young while respecting
| the intelligence and hard-earned wisdom of the old."
| Aerroon wrote:
| I think politicians might even be willing to try to do
| that, but I doubt that regular people would be on board
| with that. This would most likely involve permitting a
| lot of things in society that we consider immoral right
| now (or at least objectionable to some extent).
| 46483744 wrote:
| dist1ll wrote:
| Waiting for the law to change doesn't scale. Gotta be an
| asynchronous call. Just epoll the legislators.
| dylan604 wrote:
| I don't think "move fast, break things" meant the law,
| did it?
| juunpp wrote:
| Of course that's not a valid defense.
| duped wrote:
| Your business doesn't have an inherent right to scale
| femto113 wrote:
| Internet scale companies like Google happily embrace
| intellectual property laws when it's their IP on the line,
| they just don't care about anyone else's. And it's not an
| issue of "can't scale": Google's ad revenue is bigger than
| the entire GDP of Kentucky--they could literally hire 1% of
| the US population to work in fraud management and still
| turn a profit.
| captainmuon wrote:
| How is it even possible to spoof the shown URL?
| johnklos wrote:
| Pay Google money, and they'll let you do all sorts of things
| you're not supposed to do.
| kevincox wrote:
| It's just a setting in Google AdWords. The display URL and
| target URL are not related. You can also play tricks like a
| "tracking URL template" that is a URL that can be on another
| domain and receives the "target URL" as a parameter. It is
| expected to redirect to the correct URL, of course nothing
| enforces this other than a manual review.
|
| I can't believe that Google allows this but tracking is clearly
| more important to them than user security.
| [deleted]
| ilyt wrote:
| Of course it is, they live off ads.
| kevincox wrote:
| Yes, but people don't come to Google for ads, so they need
| to balance the benefits and harm to the users to avoid
| losing the traffic.
| meandmycode wrote:
| Kind of wild they don't require domain ownership proof in
| this case though, if I'm displaying one domain but actually
| linking to another, I should need to prove I own the
| original domain
| dwringer wrote:
| I don't have as much a problem with them hiding the display
| url, but what shocks me is how it also masks the URL in the
| status bar. If I can right-click and copy the correct URL,
| then why isn't Chrome* showing me that URL down below?
|
| *Yeah, I know, I kind of answered my own question. So I guess
| it's rhetorical, and less shocking in retrospect.
| mcv wrote:
| They should not allow this. At the very least, the actual and
| the displayed url need to be on the same domain, and
| preferably the displayed url needs to be a substring of the
| actual url. That way they can still pass parameters for all
| sorts of statistics.
| dehrmann wrote:
| Remind me why Google even allows ads in rank 1 on brand terms? I
| remember when "don't be evil" Google would talk about how ads are
| in a different color on the right sidebar.
| lolinder wrote:
| Not only do they allow it, they actively encourage it. They
| tell businesses that it's really important to buy ad space on
| searches for your own brand name so that a competitor doesn't.
|
| The way they say it really comes off like a protection racket.
| "Nice number one spot for searches for your brand name you have
| there, would be a shame if anything were to happen to it."
|
| They make people feel better about it by giving a steep
| discount over normal ads, but that doesn't make it less of a
| racket.
| dna_polymerase wrote:
| Experienced this as someone doing ads for SMBs. The Google
| advisers call and after messing up the configs for your
| campaign (to your disadvantage that is) they advise you to
| include your brand name as keyword. No matter that 3 out 3
| Top results are already for your company.
| taubek wrote:
| But if you have trademark for brand name you should be able
| to prevent others from using it, right?
| https://support.google.com/adspolicy/answer/2562124?hl=en
| lolinder wrote:
| I don't think that someone could actually use your brand
| name and get away with it long-term (though, short-term, as
| the original post evidences, isn't guaranteed) but a
| competitor can absolutely buy ad space trying to steal your
| customers.
|
| Like, if you search for "Nike" and Nike hasn't bought the
| branded ad space, you might get an ad for Adidas as the top
| result, with Nike's homepage the fourth item in the list.
| mnd999 wrote:
| Trademark law likely requires you to do so.
| kweingar wrote:
| I noticed this on the App Store the other day. I searched for
| YouTube and the first result was TikTok.
| birken wrote:
| > dig +short gimp.monster 194.110.203.75
| > whois 194.110.203.75 ... role: IT
| Resheniya LLC nic-hdl: ITR30-RIPE address:
| ul. Novoselov, d. 8A, of. 692 address: 193079 Saint
| Petersburg address: Russia abuse-mailbox:
| abuse@rentaserv.su ...
| tpxl wrote:
| Rentaserv.su is a hosting company, there's probably dozens of
| websites on that IP.
| amelius wrote:
| Yes, Russian websites.
| Genghis_9000 wrote:
| yeah part of google worship has created common misconceptions
| like that things that appear in its _automatic_ index are true
| answer to whatever question you have in mind (computers cant read
| minds). "this is the official link for some product" being only
| one possible question. then theres also the fact that a search
| engine cannot know the answer to "this is the right link for this
| software". i miss when search engines were just grep for the web
| and didnt pretend to be something more
|
| this is a good example of how chicken shit design leads to
| security vulnerabilities. google probably lets the user post one
| link and make it lead somewhere else when you click it, as a "UX"
| feature. in reality it makes phishing much easier. this could
| have been avoided by not being a chicken shit and making links
| behave as one would expect, at the cost of 1% of use cases no
| longer working. the whole idea of treating URLs as a UX object is
| a misconception anyway, URLs should be opaque bit strings.
| juunpp wrote:
| > a search engine cannot know the answer to "this is the right
| link for this software"
|
| You would think keeping a curated list of well-known software
| projects (and others) would be low-hanging fruit. Instead, it
| is apparently better to throw money into complicated systems...
| that can't even catch the most basic form of linkjacking.
|
| > this is a good example of how chicken shit design leads to
| security vulnerabilities. google probably lets the user post
| one link and make it lead somewhere else when you click it, as
| a "UX" feature.
|
| I have always found a bit of subtle arrogance in this kind of
| thought process. It's like they've never bothered learning the
| basic functions of the web and how it is meant to work and
| think they know better than the original creators.
| oliwarner wrote:
| Why is this allowed? I know Google will do anything for money,
| but why is Google _allowed_ to signpost a link to gimp.org which
| actually takes you to g--imp.org (sanitised)?
|
| I mean, if nothing else, how do they not share the liability for
| damages done by the spyware they're literally promoting? For the
| businesses squatting on the names of more notable ones? AdWords
| goes too far.
| missedthecue wrote:
| It's not allowed. It'a a violation of Google advertiser
| policies.
| asddubs wrote:
| I feel that what they meant was, why is this even possible to
| do
| TechBro8615 wrote:
| Please use old.reddit.com when linking from HN :(
|
| Maybe dang could even make it an automatic redirect?
| belkarx wrote:
| Similar situation with Brave browser from a year ago:
| https://therecord.media/google-shuts-down-malicious-ad-posin...
| TheMiddleMan wrote:
| Scammers also create ads with fake support contact phone numbers
| for businesses. People call the scammers and they act like the
| company and run their scam.
|
| Google also allows many deceptive AdSense ads, I constantly have
| to block ads that run on my website that are nothing but a big
| "Download Now" button which lead to some malware.
| dvngnt_ wrote:
| nothing new same thing happens with crypto searches.
|
| solution is to install adblock on every device
| beckingz wrote:
| I was able to find this by searching for 'gimp download', and the
| gimp.org displayed ad redirected to 'gimp dot monster' and looked
| pretty good otherwise.
|
| This is amazingly frustrating because I've wasted weeks of my
| life trying to deal with how google usually makes this
| impossible.
| WirelessGigabit wrote:
| If it says gimp.org it should go there and nowhere else.
|
| Or at least validate ownership of the target domain.
| grapehut wrote:
| This is a particularly egregious case, I've never seen a fake
| domain slip through like that before.
|
| However, I have reported dozens of phishing sites for the company
| I worked for. The phisher would simply buy ads for $BRANDNAME and
| create a convincingly similar site and phish users. I would
| report the website to "safebrowsing" and report the ad. Typically
| it would take 1 to 3 days for the website and/or ad to be
| removed, which would give them enough time to do countless
| damage. Then they would simply register a new domain, and repeat.
|
| At some point the only thing you can do is outbid phishing sites
| for your own brandname?!
|
| It's a shame google can not self-regulate such evil behavior, but
| it's clear that it should be illegal for google to allow people
| to buy ads on brandname searches.
| superkuh wrote:
| Going to www.gimp.org and attempting to render that webpage
| immediately crashes my entire X.org desktop.
| mosfets wrote:
| For anyone who actually wants the issue resolved and help
| innocent people -- Report the ad. Click the 3 little dots.
| readthenotes1 wrote:
| It would be quicker to make ad platforms and ad presenters
| liable for damages, and pay for fees and fines.
|
| Old school ads only threatened to stink up the room with the
| scratch and sniffs....
| lob_it wrote:
| nyanpasu64 wrote:
| > Most marketing urls have those long ugly urls to tell the
| advertiser what campaign/source etc you clicked on. So Google
| let's the advertiser display a fake url for ads.
|
| I expected Google Search ads to be above this. But in retrospect
| I shouldn't be surprised that ads would lie to you.
| yubiox wrote:
| People still haven't figured out to never click anything in that
| top ad section in search results?
| 0x00000000 wrote:
| Some queries return like 75% ads
| forgotpwd16 wrote:
| Those that have also figured that ad block is essential
| nowadays.
| tangus wrote:
| Obviously not, and nobody should have to learn that. Let's
| fight against fraud and deception and don't normalize them.
| indymike wrote:
| Not to defend Google but this has been against Ad Words terms for
| as long as I can remember. It's surprising they found a way to
| evade auto detection for this.
| kevincox wrote:
| > against Ad Words terms
|
| Oh great, they'll get their account closed and need to make
| another one to continue scamming people.
|
| How about Google fixes this by displaying the URL that the ad
| actually goes to?
|
| Of course they don't want to do this because the URL with all
| of the tracking parameters looks ugly and it would hurt
| conversion rates. $$$ > user safety.
| jansommer wrote:
| It's kind of crazy when they could just extract the domain
| name, or provide options for how much of the url you want
| (domain? subdomain? path? ...)
| matheusmoreira wrote:
| Terms is just a document Google uses to absolve itself of all
| responsibility. Look! On this document nobody really reads it
| says we don't allow this. See? Not our fault that our
| advertising platform linked you to malware or to scam websites.
|
| The proper response is of course to ignore their excuses and
| block all advertising unconditionally.
| johndfsgdgdfg wrote:
| This is outrageous. We need to find a way to stop Google. Google
| invades our privacy. Google holds us hostages for more money. Now
| this? When is enough is enough?
| forgotpwd16 wrote:
| As outrageous as a site having a leak or being hacked. As for
| what someone can do. It's simple. Don't use Google.
| pixl97 wrote:
| One of the big problems here is when you cut out the big tech
| abusers you find out how hollow the internet has become.
| qull wrote:
| Easier said than done. It seems like 40 precent of sites or
| better use some sort of google service. Even if you arent
| 'using' google, you are being used by google.
| forgotpwd16 wrote:
| Yeah, that's true. But you cannot do much about what a site
| decides to use. Maybe block every connection to Google
| servers which may break them. Can also stop using those
| sites as a protest.
| mixmastamyk wrote:
| Not using google doesn't mean they aren't using you. Kind of
| like the mafia.
| juunpp wrote:
| https://adnauseam.io/
| tantalor wrote:
| Happens for me. Ad says "gimp.org" but links to "gimp.monster".
| Reported.
| dwringer wrote:
| Well, it just took me to "giipm.org", a remarkable 10 hours
| after this was originally posted. It shows "gimp.org" in the
| status bar when I highlight it with the mouse, but of course
| "copy link address" just gets a link going through
| www.googleadservices.com/pagead/ with some long hashes at the
| end.
| kevincox wrote:
| It looks like the Dropbox file at least 404s now. IDK if that
| is the attacker bailing out or Dropbox actually doing
| something faster even though it arguably didn't do anything
| wrong. But Google, the enabler is still sitting on its hands.
| thethethethe wrote:
| I just tried it and now it is 'gilimp.org'
|
| The site looks legit
| tantalor wrote:
| What do you mean it looks legit?
|
| You think "gilimp.org" is legit website for gimp??
| albedoa wrote:
| I read that comment as "the site [does a convincing job of
| looking] legit". Hopefully it was just worded poorly!
| theden wrote:
| IMO checksums more or less offer a false sense of security for
| users if they're stored/shared on the same page/domain as the
| download, since it'd be trivial for a bad actor to change them if
| the files are compromised.
|
| Linux mint, for example, the attacker updated the checksums for
| the ISOs on the page when it was compromised
| https://www.infoworld.com/article/3036178/lesson-from-linux-...
|
| I don't really have a solid solution to this, besides searching
| the checksum on google to see if it's listed anywhere else as a
| soft 3rd party check
| segfaultbuserr wrote:
| OpenPGP signing keys have similar problems. Web of Trust is
| useless if you don't know any developers to begin with, dates
| on public keys can be forged, and false signatures can be
| forged by creating a large number of other false keys. False
| keys can be made more misleading using 32-bit short Key ID
| collision (and don't blame OpenPGP for this, OpenPGP is
| notorious for its complexity but at least it tried, meanwhile
| alternative tools like OpenBSD's signify does not attempt to
| address this problem - these tools of course are simpler).
|
| Surprisingly, I think no attacker has ever forged a OpenPGP
| signature in a real-world security incident, likely because
| there's a lack of overlap between crypto nerds and crackers.
|
| Though, public keys do not change often and leave somewhat of
| an "audit trail". I usually search the key fingerprint on the
| web to see if it has been mentioned elsewhere as a quick check.
| Some projects store signing keys in an official upstream git
| repository. It's somewhat of a higher guarantee, but one can
| still creates a false upstream page for phishing... But I guess
| it's too much of an effort so nobody has tried to do this, yet.
|
| Thankfully, for distro users, it's only something for packagers
| to worry about, end users always receive verified packaged via
| the distro package manager.
| upofadown wrote:
| The big advantage of an OpenPGP signature over a
| checksum/hash is that you only have to verify the identity
| once. The identity can be used to verify the signatures of an
| unlimited number of files. That is as opposed to requiring
| each file to have a separate checksum/hash. Much more
| opportunity for deception on the smaller scale.
|
| A perhaps less appreciated advantage is that in practice the
| identities are stored offline with each entity that will be
| verifying the signatures. So an attacker has to justify the
| use of the new identity to what would normally be a large
| number of entities. That might explain why that sort of
| attack is so rare.
| cmeacham98 wrote:
| > Surprisingly, I think no attacker has ever forged a OpenPGP
| signature in a real-world security incident, likely because
| there's a lack of overlap between crypto nerds and crackers.
|
| I suspect in the real world almost nobody validates PGP keys
| of software downloads manually. They might do it
| automatically (for example via a Linux package manager),
| which a fake key wouldn't fool. Thus, faking the key isn't
| necessary because 99% of users that could be fooled won't
| bother checking.
| axiolite wrote:
| The 1% that do verify it would report the issue and alert
| others.
| _wldu wrote:
| Put the checksums in a separate system such as the DNS. Use
| DNSSEC on your domains. Manage your DNS system as an isolated
| system (don't mix your HTTP/Email/Other stuff with your DNS
| provider). Now, users may verify the downloads you provide at
| your website by getting checksums from the DNS.
|
| DANE may be of interest here as well:
|
| https://www.infoblox.com/dns-security-resource-center/dns-se...
| hedora wrote:
| Is there any tooling around this?
|
| In particular, it's crazy that I can't just stick a public
| key for my email address in the DNS record for my domain, and
| have email auto E2E encrypt to it.
|
| (No, that wouldn't scale for gmail, but they could do a two
| level thing, where the gmail key signs the public key for
| each mailbox -- assuming people bothered to set up their own
| keys, or that gmail just silently opted them in to server
| side encryption.)
| tptacek wrote:
| How does DNSSEC help here at all? We're talking about the
| security of checksums of data on pages. DNSSEC only addresses
| the name lookup.
| cortesoft wrote:
| That just makes DNS the single point of failure. If you own
| DNS, you can change the checksum and the download all at
| once.
| axiolite wrote:
| > it'd be trivial for a bad actor to change them if the files
| are compromised.
|
| But it's trivial for responsible members of an organization to
| set-up a continuous, automated verification of the checksums
| listed on a web page. It wouldn't be practical to do that with
| the ISOs, directly.
|
| Of course if the organization is lazy or incompetent, and
| chooses not to do so, then they have only themselves to blame.
| But if you fail to compare your downloaded files to the listed
| checksums, that's all on you.
| forgotpwd16 wrote:
| Checksums are meant to verify data integrity. Who ever said
| otherwise?
| theden wrote:
| It doesn't matter, people still use checksums as a signal to
| verify if a download has been tampered with
| TheDesolate0 wrote:
| hddqsb wrote:
| EDIT: There is definitely a mismatch between the display URL and
| the landing page URL. It's not clear to me how that can happen;
| for example https://www.youtube.com/watch?v=jx-gl6K2zQw shows
| that only the display path can be edited (not the domain),
| consistently with the wording on
| https://support.google.com/google-ads/answer/2616010 and
| https://support.google.com/google-ads/answer/2375287. On the
| other hand, https://support.google.com/adspolicy/answer/6368661
| talks about destination mismatch as if it is technically possible
| and just forbidden by policy.
|
| The ad's ID is DChcSEwiPvfuL-YX7AhVmkmYCHUXQC1wYABAAGgJzbQ
| (displayed when reporting it), the display URL is
| https://www.gimp.org/ and the final location after clicking the
| ad is https[:]//gilimp[.]org/ (with no intermediate redirects via
| gimp.org).
|
| Update: The DNS records for gilimp.org have been deleted.
| Archived snapshot:
| https://web.archive.org/web/20221029152445/https://gilimp.or....
|
| -------------
|
| Original comment:
|
| The Reddit user says the ad's display URL was different from
| landing page URL. If that's the case it is particularly
| concerning. I believe Google Ads only allows the advertiser to
| set the path component of the display URL, and takes the domain
| from the landing page (real) URL; so it's unclear how the
| mismatch could happen.
|
| Maybe the Reddit user took the screenshot on a separate occasion
| from when they clicked the malicious link, and the ad changed in
| that time (currently I can see an ad for GIMP, and it links to
| the official domain, and the linked Twitter thread linked by
| @pmoriarty says the attacker is actively changing things). The
| only other explanation I can think of is that the official GIMP
| website has an open redirect vulnerability.
| weird-eye-issue wrote:
| You can just set any URL you want
| anilshanbhag wrote:
| Just tested, you can still see this Ad if you search for gimp!
| bink wrote:
| I don't see any ad when I search for "gimp". Maybe it's only
| targeting Windows users?
|
| edit: nevermind. I was being saved by ublock origin.
| Searching with it disabled shows the malicious ad.
| cmeacham98 wrote:
| I can't get the ad to show up for me, but maybe GIMP has an
| open redirect on their website and the malvertiser is taking
| advantage of that?
| cuttysnark wrote:
| I had to search for "gimp.org" to get the ad to be the first
| result; just searching "gimp" doesn't return the ad.
|
| The scam ad says "gimp.org" but if you follow it, the landing
| page is hosted at gimp.monster. It's a clone of the proper
| gimp.org with a the download instead pointing to who-knows-
| what .exe on Dropbox.
|
| WHOIS gimp.monster has WHOIS-guard, but the Icelandic
| "privacy" address turns up a bunch of Reddit links about scam
| sites. Namecheap is the common thread, but that's hardly a
| lead.
| hddqsb wrote:
| That's what I thought too, but I managed to get the malicious
| ad and confirmed that it's a destination mismatch in Google
| Ads rather than an open redirect (no requests to gimp.org in
| the network monitor).
| ocdtrekkie wrote:
| Yeah Google Ads lies about the destination URL, it always has.
| Which is why the correct choice is to consider Google Ad links
| malicious by default. There's actually no way to be sure where
| clicking them will send you, and tons of fraudsters have put
| scam ads with the official legit domain listed.
|
| I've seen both Amazon and Best Buy URLs on scam ads.
| systemvoltage wrote:
| The entire hackjacking of the URLs needs to stop. It is
| destroying the web. From Safari hiding the full path in the
| browser in the name of "minimalism" to AMP and all the other
| bullshit.
|
| URLs are sacred. Please don't fuck with them. Please.
| [deleted]
| dustymcp wrote:
| This is possible with all advertiser platforms, they dont
| validate for your domain and will happily link to any domain.
| hddqsb wrote:
| Just to avoid no confusion, the issue here is that the URL
| displayed in the ad (and also when hovering over it) has a
| different domain from the page the user lands on when they
| actually click the ad. It's not about whether the
| advertiser owns the domain.
| TheWoodsy wrote:
| Does anyone have a copy of the exe?
|
| Would love to poke it for research.
|
| Edit: Here be dragons. Found a source:
| https://old.reddit.com/r/GIMP/comments/ygbr4o/dangerous_goog...
| pmoriarty wrote:
| To see the OP without enabling javascript:
|
| https://nitter.net/gimp_official/status/1586330082221510656
| LinuxBender wrote:
| Apparently the malicious ads are hidden when using uBlock [1]
|
| [1] - https://addons.mozilla.org/en-US/firefox/addon/ublock-
| origin...
| yibers wrote:
| That's precisely the reason why I use uBlock
| Lonestar1440 wrote:
| Reported to Google, for whatever that's worth. Currently (12:42
| Eastern, 29 October) the ad is #1 hit and links to
| www...giimp...org which further links to some very sketchy
| looking downloads off the discord CDN.
|
| I've been using Bing for a year now. Not perfect, but 1) never
| seen something like this on it and 2) if Google feels less like
| an invincible monopolist, perhaps they'll have some incentive to
| provide an acceptable service.
| Pathogen-David wrote:
| This is also a huge issue with Blender and pops up on /r/blender
| from time to time.
|
| (Here's a few random recent examples: https://redd.it/xxkx5s
| https://redd.it/vvrxko https://redd.it/xwkky8
| https://redd.it/vuqu1r)
|
| Ad networks and content providers get up in arms over widespread
| ad blocking but then allow stuff like this through.
| ilyt wrote:
| Yeah, blocking ads quickly became security improvement...
| hawski wrote:
| Always was. Does anyone remember the defacto original ad-
| blockers that blocking popups were? Firefox was marketed with
| this feature.
|
| It is basically a condom for the Internet. It makes
| maintenance for family computers much easier.
| axiolite wrote:
| > Does anyone remember the defacto original ad-blockers
| that blocking popups were?
|
| I was using the Internet Junkbuster (and later: Privoxy) in
| the mid-90s, many years before that. https://web.archive.or
| g/web/19961222061917/http://www.junkbu...
|
| Of course, back then you could just disable javascript in
| your web browser to protect yourself from malicious sites
| and annyances, and practically all sites would work
| perfectly fine.
| geoduck14 wrote:
| But if you block pop-ups, that web page with Rick Astley's
| cool video popping up won't play.
|
| /s
| juunpp wrote:
| Government does:
|
| https://www.nsa.gov/portals/75/documents/what-we-
| do/cybersec...
|
| https://www.vice.com/en/article/93ypke/the-nsa-and-cia-
| use-a...
| matheusmoreira wrote:
| Turns out uBlock Origin is the best anti-malware software there
| is. For some reason friends and family just don't seem to get
| malware anymore after I installed it on their browsers.
| ocdtrekkie wrote:
| As soon as you realize how much of Google's bottom line is
| scam and malware distribution, it becomes really hard to view
| the company as anything but crooks.
|
| Google's other big line of business is shaking down
| businesses for cash by selling the top result for someone's
| own brand name unless they're paid for protection.
| missedthecue wrote:
| I would bet real money that a negligible amount of Google's
| bottom line is scam and malware distribution.
| ocdtrekkie wrote:
| I am confident even Google fails to understand how much
| of their own business is scams and malware.
| yazzku wrote:
| This is not merely rhetorical. Nvidia, for example, was
| caught hard during the first cryptocurrency bust... and
| the second.
| matheusmoreira wrote:
| Even if ads were 100% legit verified links, they would
| still be scams. Advertising is inherently untrustworthy.
| Why do people trust anything a corporation says about their
| own products? In the best case scenario, they're
| highlighting the pros and omitting the cons. Usually
| they're just straight up lying.
|
| I want real opinions written by real people with no
| conflict of interest. People who are't getting paid by the
| corporation.
| agluszak wrote:
| Why is this getting downvoted?
| gkbrk wrote:
| A large chunk of this websites user-base is working for
| ad companies like Google or Facebook. Another large chunk
| earns money from putting those ads on their apps.
| iamacyborg wrote:
| Because it's nonsense
| matheusmoreira wrote:
| Why?
| notahacker wrote:
| _Linking to company websites so people looking to buy
| stuff that company makes can find it is a scam, because
| company websites are biased in favour of that company_ is
| not an argument actual adults should make, still less
| adults who have used the internet (and for that matter,
| shops!) before. Actual adults are well aware that a
| company 's web page will say good things about the
| company and that third parties might have different
| opinions if they care to look elsewhere for them.
| Insisting that anything written by anyone paid to sell
| something is a scam [comparable to a trojan masquerading
| as popular OSS!] is pretty much the _reductio ad
| absurdum_ version of HN 's general aversion to
| advertising.
|
| The argument for ad blockers is that ads are annoying and
| trackers are intrusive, not that people should avoid all
| interaction with any commercial entities ever, even when
| they're literally looking to buy something.
|
| (And no, the company paying Google for ads so their
| website appears in the results for a particular search
| term is not inherently more dishonest than them paying an
| SEO consultant to achieve the same thing
| 'organically'...)
| ptato wrote:
| Advertising is not meant to be educational, it's meant to
| make you aware the product exists. Of course you're don't
| have to trust what the company is saying, but now you
| know their product exists and what it does. If it was
| something you were looking for, you can now research it
| and ask for opinion.
| orangecat wrote:
| _Advertising is not meant to be educational, it 's meant
| to make you aware the product exists._
|
| That's maybe 10% of what advertising does. Everyone on
| the planet is well aware that Coke is a carbonated
| beverage.
| BLKNSLVR wrote:
| Advertising is manipulative by it's very nature. Being
| made aware that it exists is manipulative in a somewhat
| forgivable way, but often the words and message are
| intended to motivate people with various forms of
| emotional manipulation.
|
| Advertising is pretty gross.
|
| And maybe that wasn't always the case, and maybe it's
| also using advertising in place of another word, but
| that's where it's ended up in my understanding of the
| world.
| ocdtrekkie wrote:
| I agree, but the fact that even if you hold the view that
| ads are beneficial to society, Google is _still_ a bad
| actor and a net negative to all of us, is particularly
| noteworthy. We all pay for Google via folks paying
| ransoms and other scams, having to indirectly pay for
| high ad budgets every company has to pay off Google to
| avoid their own search result being squatted by a
| competitor, etc. There is no company on the planet that
| the world would benefit more from being shut down.
| robocat wrote:
| > shut down Google (paraphrased)
|
| But the incentives for advertising remain the same, so
| another similar competitor with similar evilness would
| emerge to replace them.
|
| I don't believe the problem is "Google is evil".
|
| I think the problem is that the incentives create evil,
| and there is little effective effort (that I have seen)
| to fix Google's incentives through legislation or other
| means.
|
| I worry that many other major companies we interact with
| are heading down the same path.
|
| TVs are one canary warning us.
|
| Another example: Apple seems to be getting keener on
| advertising revenue, and I'm not sure that opposing
| incentives (within Apple or by their customers) are
| strong enough to overcome the financial temptation. That
| temptation leads to eventual sin (to use a religious
| metaphor!) Apple already commits egregious harm through
| many kinds of "free" apps.
| itronitron wrote:
| I haven't used Google Search in over four years but it
| sounds like they have followed the SourceForge path based
| on your description.
| a1371 wrote:
| I think people are missing the actual issue here. Google used to
| have a clear distinction between what's an ad and what is
| organic.
|
| In these screenshots you have to pay good attention to see the
| top result is an ad.
|
| To keep their conversion numbers up they had to constantly reduce
| the difference between the ads and everything else. The fact that
| they can do this and we are so used to it that we don't first
| identify that as the culprit is quite interesting.
|
| I have ran a few Google ads in the recent years and the people
| who come through them, some of them, clearly have no idea that
| they have clicked on an ad. This might be good for business but I
| think it does more harm overall.
| satellite2 wrote:
| It's not enough. I used to always skip the ad of the canonical
| site I was looking for to avoid incurring them a cost when I
| knew what I was searching for.
|
| But it's often no longer possible. The actual search reasult
| you want is the ad and the link is no longer duplicated in the
| organic search results.
|
| So you have to click the ad.
| itronitron wrote:
| you also have the option to not use Google and use DuckDuckGo
| or Bing instead
| asddubs wrote:
| they used to have a yellow background, then a blue button with
| a white "advertisement" text in it, and it just got more and
| more subtle over the years. Now it's two characters of text
| Macha wrote:
| On mobile, the text saying Ad is the same size and position
| as favicons for regular search results, too.
| jmt_ wrote:
| I see people do that all the time - inadvertently click an ad
| because it's one of the first few results that pop up. Not only
| that, the number of ads shown before the real result has
| increased too! Just the other day, my boss did a Google search
| for a common product and was shown at least FIVE ads before the
| first real result and had to scroll to see that result. I
| remember the days when you would see one or two ads and the
| real result as the first thing you saw after a search, not
| seeing only ads until you scroll down.
| adam1210 wrote:
| This has been happening to a smaller project I am affiliated with
| for _years_. You can report it to Google - typically they ignore
| the reports. Occasionally they 'll remove the offending ad, but
| they are just replaced with more ads the following day. I don't
| think it's preventable.
| ahurmazda wrote:
| Also timely
|
| https://news.ycombinator.com/item?id=33383494
___________________________________________________________________
(page generated 2022-10-29 23:00 UTC)