
Google will warn users when sites contain social engineering ads - PirateDave
http://techcrunch.com/2016/04/12/google-will-now-warn-users-when-websites-host-deceptive-social-engineering-ads/
======
tyingq
From the article: "Others pretend to be “Download” or “Play” buttons, as if
clicking them would provide access to the video content or stream the user had
wanted. "

These are actively being served through Google Adsense, right now.

Here's a few example, live sites, where I see "Download" buttons in an ad, in
a context that would be confusing.

[http://www.getpaint.net/index.html](http://www.getpaint.net/index.html)

[http://downloads.tomsguide.com/PaintNET,0301-4883.html](http://downloads.tomsguide.com/PaintNET,0301-4883.html)

[http://filehippo.com/download_paint.net/](http://filehippo.com/download_paint.net/)

~~~
ori_b
> These are actively being served through Google Adsense, right now.

There should be a button to report them. _Please_ report them.

~~~
tyingq
Sure. But it's just funny that Google's approach is to mark these sites with
big red warnings when Google itself is the source of the actual problem.

~~~
duaneb
The ads are the actual problem. It's entirely possible this is a stopgap
solution while they flag the client for manual auditing (or whatever)—manual
auditing doesn't scale, so I suspect this is going to be more successful at
preventing abuse in the short term.

~~~
ocdtrekkie
The problem is that Google has built most of it's products and business around
the concept that they can automate away manual intervention. I think they are
quickly starting to discover how faulty that concept is.

Some of the "AI" startups that mix automated intelligence with human fallback
have probably got it much more right: Sometimes, you need people.

~~~
duaneb
Regardless, I think the warning is better than no warning. Again, we don't
know the process behind the scenes.

~~~
ocdtrekkie
If Google believes any of their ads on the page are questionable, Google
should simply not display those ads.

------
FilterSweep
From Wikipedia[0]:

> _Social engineering, in the context of information security, refers to
> psychological manipulation of people into performing actions or divulging
> confidential information. A type of confidence trick for the purpose of
> information gathering, fraud, or system access, it differs from a
> traditional "con" in that it is often one of many steps in a more complex
> fraud scheme._

Honest question: When you take a look at the "manipulation of people into
divulging confidential information" part, wouldn't this, by definition,
incriminate the vast majority of the modern ("Internet 2.0") web, WRT
unremovable-cookies, tracking, "analytics", and so forth?

I fully admit there is a difference between downloading a random
AdobeFlashPlayerUpdate.exe or MacKeeperApp.dmg from a malicious site and
having all your personal data and information about you sent off to a 3rd
party company......but where do we(or Google, here) draw the line?

Just last week, Facebook started gleaning contacts from my phone and injecting
them into the "People you may know" page - these were people I did NOT want on
my Facebook - ranging from business contacts to tinder matches. I knew this
was (sadly) standard behavior for users of the Facebook App, or users of
"Facebook for Mobile", but I have never given my phone number to facebook, not
once, and I only access it via a mobile browser.

Is it social engineering to see my recent searches in the Amazon app on mobile
reposted on Facebook on my desktop Web browser?

[0]:
[https://en.wikipedia.org/wiki/Social_engineering_(security)](https://en.wikipedia.org/wiki/Social_engineering_\(security\))

~~~
huehehue
IIRC, you have to auth to Tinder with a FB account. Not saying that nothing
shady is happening, because I believe it is, but note that there are hundreds
of ways for a company like FB to connect the dots. Post locations, event
invitations, friends of friends, searches, ads/trackers, even your
behavior/patterns on the site. The only real options, IMO, are to delete FB or
accept the uphill battle.

~~~
e40
_IIRC, you have to auth to Tinder with a FB account._

Wow. Just wow. That seems like such a horrifically bad idea. The worlds
represented by FB and Tinder are almost diametrically opposed and I imagine
that people who use both would never want any mixing. We are one FB bug away
from some serious embarrassment.

~~~
Raphmedia
Fun fact:

Tinder (as of my last login last year) displays an user liked pages along with
their interests and then only their first name so that there is some
"privacy".

I used to put all that data through Facebook Graph search and it would get me
their full name and contact information, which in turn would lead me to their
email address, which would lead me to their addresses or phone number.

Fun, fun time. It's a good thing that I am not the kind of person who would
abuse of such things.

------
brador
It's worth remembering that this is the pain point Adsense and Adwords
originally solved for by only allowing a title, 2 lines of text, and a URL.
And they did it so well they disrupted/killed a mutli-billion dollar industry
of online flash ads practically overnight.

And then they become that problem by taking on flash ads a few years ago.

~~~
55555
I think their USP was contextuality, no?

~~~
brador
The contextuality came later once they had built out the backend systems and
proven the core idea worked.

------
6stringmerc
What about on their own sites? Like YouTube?

Yesterday I just saw a banner ad on a YouTube music video - from Google
AdWords - that was alerting me I may need some "Drivers" for my machine and I
should get them from some suspicious company called TechSoft or RealSoft or
something like that. It was the "dying car alarm drops a sick beat" extended
remix if that's of any interest.

I did take a screenshot but don't have it handy right now.

~~~
EvanAnderson
I regularly see ads during Youtube videos for what I would assume to be
malware -- "driver updates" and the ilk. It would be nice if Google would get
their own house in order.

~~~
ocdtrekkie
Why should Google get it's house in order? The best part about being a
monopoly is everyone has to deal with you whether they like it or not. ;)

And they can punish other people's websites for having malicious ads,
including Google-sourced malicious ads, because that totally solves the
problem!

This comment was thick with sarcasm.

~~~
shiftpgdn
Because people start using Adblock and sucking the life out of their business.
I just deployed adblock across the entire organization I work for as a basic
security measure.

------
putaside
The only time I have been bothered with these kind of ads, is when DoubleClick
serves me those on my Android.

DoubleClick certainly is not the worst offender of this, but they are the
biggest player. Is Google going to block/penalize the sites of their own
customers? That would feel weird. Is Google going to block/penalize the sites
of their competitors? That would also feel weird.

~~~
dudus
Usually the burden to approve an Ad is on the network that hosts/serve the Ad.
Google does require approval for all Ads you want to serve to Google Search or
Google Display Network, as well as Ads you want to sell through Doubleclick Ad
Exchange.

Doubleclick is actually a suite of different applications.

I suppose you mean DFP (Doubleclick for Publishers). This is a google product
but it doesn't necessarily display ads from Google Network. With DFP you can
show ads from Google but also other networks or even your own negotiated ads.
So in other words even though it's a Google Product it's designed to give
publishers freedom on which ads will be displayed. If you use DFP to only show
ads from Google Network such as adSense you can rest assured these are
reviewed by Google for such social engineering tactics.

I suppose they might block sites that use DFP to serve ads from other networks
they can't vet and don't go through good review and were detected to contain
bad Ads.

~~~
putaside
Google partners with these other networks (like Advertising.com and AppNexus).
In the end it is their DFP .js code that invokes malicious ads/redirects. I
blame the last in the chain, and I do not think that is unfair.

Not all ads on adSense are reviewed. Or, if they are, the reviewers are doing
a poor job. Locally, and on mobile devices, I get adSense ads like: "Your
device has a virus. Click here to download our anti-virus software for 4.99$."
Then the page shows the "404 broken robot"-graphic (it is an ad on adSense
network, which spoofs Google, and scares you into downloading a paid, probably
worthless, virus-scanner).

I've reported numerous ads to Google over the years: Some competitors who were
not playing by the rules, but also redirects to porn websites and the
(locally) infamous: Your Whatsapp has expired! Enter your phone number, so we
can mine that, and charge you weekly for a fake app.

> I suppose they might block sites that use DFP to serve ads from other
> networks they can't vet and don't go through good review and were detected
> to contain bad Ads.

Likely, but this seems weird (fix/penalize DFP partner networks first, don't
penalize your users for using your own product). Also from a competitor sense:
I am all for protection of users (use an adblocker!), but it does not feel
right that a company with the resources of Google, finally manages to rid
their own network of these malicious ads (let's say for sake of argument they
have), then immediately puts the ban-hammer on their less resourceful
competitor networks. Perhaps that is a side-effect of owning both analytics,
the ad networks, and the browser people use to view those ads.

~~~
putasidemobile
I may have been too harsh on Google. If Google implements: "Hey, this
javascript ad code is trying to redirect to another domain, let's throw up a
warning." then that would be great (no matter if it hits their own ads).

Google may also share information from SafeBrowsing with other companies, so
they can opt to fix their stuff.

Also that what I may view as terrible ads, Google sees as companies gradually
finding the razorsharp edge of their program policies.

For obvious reasons, we do not hear (or see) anything about the successful
efforts to keep scam and spam away from their networks.

------
josephjrobison
And Google's own Adwords ads looking more an more like organic search results
and pushing the organic results further down the page isn't social engineering
at all, right?

~~~
gist
What's interesting is that this is moving more and more in the direction of
the tried and trusted legacy yellow pages phonebook model.

In that model you got a free listing in a category or two but had to pay to
get either additional listings (in other categories) or for an advertisement
(of various sizes) in order to get phone calls. The rationale (in addition to
making money obviously) was that there had to be a way to determine the
serious people trying to hawk a particular or good or service from the casual
players. The thinking was that if a person took out a listing or an ad saying
they "sold recumbent bicycles" they must be doing that because they were
willing to pay to say so. So the theory is if you pay for say something you
must be fairly serious about what you are saying (in terms of things you are
selling).

~~~
tyingq
Ah, but without the loophole of naming your company "AAAAAAAAA Services" to
land at the top of "organics" :)

~~~
gist
My gaming of the system was putting a display ad with multiple phone numbers
representing different areas of the city. Worked very well. Learned that by
observing what other businesses did (in entirely different areas I might add)
and figuring that must be the reason (since I knew they didn't have all of
those locations). Yellow pages, at least for what I did (was a "well developed
category") was instant business and paid off very well. I increased the ad
size every year. In some cases ran a small and large ad after being told
(correctly) that some people liked to deal with a small company and some a
large company. I landed a big contract once with the larger ad when only 3
companies were asked to bid.

All this was well before the internet when there wasn't step by step guides
and/or blog posts and things like this were never taught you either figured
them out on your old or someone you knew was nice enough to tell you. (In the
old days it wasn't typical to share info and secrets like it is today..)

------
michael_h
Why stop there? When a site contains the offending ads, push them down to page
four of the results. The ads will disappear in a matter of days.

~~~
partiallypro
So, punish companies for using AdSense, one of Google's core services? As many
have pointed out here, AdSense is a big contributor to these ads. It seems it
would be pretty easy to weed out on the AdSense platform, since they have to
be bidding on "download" as a keyword to be assigned to that page.

------
ilyanep
Can't wait until Google has to block websites using AdSense because they
themselves served such an ad through a reseller.

...or until they don't and have an Anti-Trust suit on their hands.

------
elcapitan
I didn't even know that there are ads that _don 't_ involve social
engineering.

------
ikeboy
>[Update: Google published this news today on its corporate blog, but this was
previously announced earlier this year. We’ve asked Google to clarify why it
was republished, if that was in error, or if it represents any changes since
the first announcement.]

This was previously discussed at
[https://news.ycombinator.com/item?id=11032270](https://news.ycombinator.com/item?id=11032270).

~~~
dgacmu
The actual news is this:
[https://security.googleblog.com/2016/04/improvements-to-
safe...](https://security.googleblog.com/2016/04/improvements-to-safe-
browsing-alerts.html)

Google's expanded it from just protecting users to also notify the network
admin via [https://security.googleblog.com/2010/09/safe-browsing-
alerts...](https://security.googleblog.com/2010/09/safe-browsing-alerts-for-
network.html)

(The "notify the AS owner" service existed before, but now it also notifies
about social engineering content.)

[/end doing job of reporter who should have done it themselves.]

------
diegorbaquero
I'm not saying an ad-blocker IS the solution, but it works on blocking not
only ads but making websites faster and safer.

~~~
LeoNatan25
Ad blocking IS the solution. To many many problems.

------
blaze33
Well I block ads on my desktop so I'm not really seeing fake "download"
buttons that often. On the other end what really bothers me on mobile (using
the latest chrome) is ads automatically redirecting me to another site,
happens quite regularly when I browse Google news. I don't really know if
those ads use an exploit of some sort or if they consider I've clicked the ad
when I only tried scrolling the page with my finger but that should clearly be
checked. And it happens on well known newspapers websites, not that I was
browsing some obscure shady part of the web...

------
spriggan3
Will they do that on their own sites too ? like youtube or blogger ? because
yes, I got plenty of "Your computer is infected by a virus, Please call
Microsoft hotline" popups from those.

~~~
rcheu
I don't have Adblock on for Youtube and I've never gotten a popup like that.
All of their ads are video ads. Are you sure you don't actually have a virus
(that's causing the popups, not due to the message itself)?

~~~
kuschku
The in-video popups (at the bottom, about 20% of the height of the video) very
often advertise malware for me, too.

------
cha5m
What hypocrites [http://imgur.com/3Emyw5y](http://imgur.com/3Emyw5y)

------
MichaelGG
That's rich, coming from them. When I used mobile apps with ads, the majority
seemed to be fake "update battery driver"/"uninstall virus" type nonsense. In
flashing red and yellow.

------
fireworks10
I see this warning in effect on [http://kat.cr](http://kat.cr) in Chrome:

    
    
      Deceptive site ahead
      
      Attackers on kat.cr may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards).

------
JamilD
Since sites like this are so ubiquitous, I wonder if users will see warnings
like this so often that they'll start to ignore them and just click "proceed"
without thinking.

It's definitely a step forward in the right direction, provided Google
Adsense, well, adheres to their own company's guidelines…

------
dfar1
This is a good start to solve an old problem. However they need to start
filtering out their own ads. I don't know which is easier, catch them before
it goes live, or after, but either way... that's something in the right
direction.

------
chinathrow
Why warn? Why not simply drop/block them and notify the ad network/ad buyer?

~~~
kuschku
Because then they’d hurt their own bottom line.

------
jevinskie
Hmm... I just saw this mess on Youtube today. An "Ads by Google" ad for some
malware.

[http://i.imgur.com/vQkjZWU.jpg](http://i.imgur.com/vQkjZWU.jpg)

------
Strilanc
They count fake download buttons as social engineering. Excellent.

~~~
_greim_
What definition of "social engineering" are you using?

------
guelo
I'd rather my adblocker deal with these instead of my browser.

------
nxzero
Most people don't realize that Google's "Safe Browser" sends via Chrome &
Firefox the URL of ever single URL you visit to Google; as far as I'm able to
tell.

~~~
gruez
No, it doesn't. [https://feeding.cloud.geek.nz/posts/how-safe-browsing-
works-...](https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-
firefox/)

~~~
nxzero
I've seen requests passed to Google, which is how I noticed it in the first
place.

This source appears to show at least for downloads the browser is sending data
to the API: "From Firefox 32 on, downloads are checked against the local list
and a remote list if the local list does not return a hit."

SOURCE: [http://www.ghacks.net/2014/07/23/prevent-firefox-sending-
dow...](http://www.ghacks.net/2014/07/23/prevent-firefox-sending-download-
information-google/)

~~~
cremno
That article ends with a link to
[https://wiki.mozilla.org/Security/Features/Application_Reput...](https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc#Remote_lookup_.28present_in_FF_32.2C_Windows-
only.29) which contains:

>These lookups are Windows-only, because we rely on signature information in
order to suppress remote lookups and signature APIs are only available on
Windows. If the binary is unsigned or its signature does not match a known
good publisher and the filename ends in a known executable extension, Firefox
sends a remote lookup to the application reputation service.

This is more precise than your post including the quote.

