Hacker News new | past | comments | ask | show | jobs | submit login
Google Ad Disguising Itself as www.gimp.org (reddit.com)
601 points by tosh on Oct 29, 2022 | hide | past | favorite | 218 comments



In this particular case, I suspect a trademark complaint against Google would make sense.

Google misrepresented the ad as the product of the Gimp project, and were paid as a result. They usually use an "obeying the law would not scale" type argument in court, but that would clearly be bullshit in this case. They have a business relationship with the ad buyer, and should have verified their affiliation with gimp.org. Also, a simple string match on the URL would expose the attempted fraud on Google's end.

I'm not sure how to check if Gimp is a registered trademark in the US. This page kind of implies it might be (or that the author of the page does not understand trademarks):

https://www.gimp.org/about/selling.html


Having the actual url be completely different from the displayed url simply shouldn't be possible. Allowing that invites scams like these. At the very least, they need to be the same domain.


Redditor RawPacket writes[1] that it's probably an IDN homograph attack[2]:

  the g, i, m, or p are replaced with characters from a different character set. Looks right, but the domain is registered with a different character.
  
  Example: * gіmp.com is fake. * gimp.com is real.
  
  They look the same, don't they? But if you click on the fake gіmp.com, your browser will take you to the domain xn--gmp-jhd.com as it is using the і from the Cyrillic character set.
[1] https://old.reddit.com/r/GIMP/comments/ygbr4o/dangerous_goog...

[2] https://en.wikipedia.org/wiki/IDN_homograph_attack


For a moment I was thinking "But then the second screenshot would read "xn--gmp-jhd.com", not "gilimp.org" -- but that would be easily hidden by making the former immediately redirect to the latter.

(Mostly I mention this because someone else might be thinking at as well.)


That's a good theory, but I don't think it's what happened here. The ads are gone for me now so I can't verify, but when I did get the ad I checked the network monitor and I'm pretty sure there were no redirects via lookalike domains. Also, I'm pretty sure I copy and pasted the display URL and it was plain ASCII.


Are different character sets allowed in urls? Because that too sounds like a massive mistake inviting these sort of scams. Sorry, but stick to ascii.


Modern browsers won't show those characters in the address bar, exactly to avoid this issue. Which is maybe why the ad points to gilimp.org instead of the gimp.org lookalike.


Yes! This is crazy to me. How can this not be a thing that has already been discovered and instantly fixed?


Many ad buyers are not-so-sophisticated...

They might work for BigCo, but rather than have the ad point to bigco.com/product they instead have the ad point to tinyurl/bitly so they can track how many people click the ad and repoint it to another URL easily.

There is a whole industry of these redirection services that gather stats, direct users different directions based on mobile/desktop or country. It isn't rare to bounce a user via a whole chain of them.

To support all those users, ad networks have to allow the apparent URL and actual link target to differ.


No, ad networks don't have to allow any of that. And they shouldn't. Ad buyers should either not track, or do it properly. Demanding massive security holes because you can't be bothered to learn the right way to do it is unreasonable.


If google gave a shit (obviously they don't) they could whitelist a few tinyurl/bitly/etc sites then follow those redirects themselves to verify they eventually landed on the displayed domain.


It's a "feature". So you can link to blafoo.advertisinganalytics.com/weird-looking?tracking=link but what the user sees looks like normal and "safe" brand.com


You should still somehow be able to prove ownership of the domain you want to display, that’s the problem.


> obeying the law would not scale

I don't know why, but that sentence terrifies me. It's like the silicon valley version of a dystopia.


> I don't know why, but that sentence terrifies me. It's like the silicon valley version of a dystopia.

because it is true.

We have seen the same pattern in copyright infringement handling, spam or fake news control, user support...


It may be true, but why a judge or jury would accept it as justification is beyond me. "My business model requires me to break the law." is a condemnation of the business model, not a justification.


The problem is that the legal system is flawed in such a way that the wronged parties rarely have the time & resources needed to actually put the issue in front of a judge. If it actually does get in front of a judge (in reality it would get settled out of court if it actually gets anywhere close) I would indeed expect their argument to fall apart.

This is something that ideally the government (its consumer protection branches like the FTC) should be policing proactively, filing suits preemptively against systems that are trivially exploitable.


Definitely agreed. I think it also stems from laws that define explicit and measurable harm as the only types of harm. For false advertising and fraud, it usually requires proving that they was financial harm done as the result of the false statements. Because creating an environment in which fraud is cheap and easy doesn't count as "harm". Because false advertising doesn't count as "harm" in itself, even as imposes the burden of scrutinizing all claims from previously trustworthy sources.


Agreed -- there's also little recourse for many forms of online fraud, as there's no capacity for law-enforcement to investigate at scale.


Because if you tried to actually police this then everything in life would grind to a halt. It would be like expecting the government to deal with every single crime.

It's particularly problematic when a business is providing a platform for other entities to post a message. We don't hold the post office liable for transferring copyrighted/trademarked content, do we?


This case is more akin to a TV network, since the ad is publicly broadcasted based on what people are watching/reading. It’s not private correspondence.


It is the reason for the existence of the dmca.

Now I take a rather dim view of the dmca. But the general concept is to move enforcement of the law out of the normal slow bureaucratic channels. Now enforcement is handled directly by the injured party. Much more efficient.

If you immediately see how ripe for abuse this system is. congratulations. you are now more far sighted than the originators of this system.

Now to it's credit, the dmca limits the enforcement(I think, I have never read the law) to a formalized version of "if you stop doing it we won't press charges" however this is still widely abused.


Some laws were put into place before the current internet scale was imagined and would probably not be made today


Internet scale companies like Google happily embrace intellectual property laws when it's their IP on the line, they just don't care about anyone else's. And it's not an issue of "can't scale": Google's ad revenue is bigger than the entire GDP of Kentucky--they could literally hire 1% of the US population to work in fraud management and still turn a profit.


How would you manage a fraud department of 3 million people?


So it’s a valid defense to say complying with the law is hard, that’s why I didn’t?

Shouldn’t the right course be to change the law before taking such actions?


It's absolute BS. If a citizen were to come into a court and were to express the quantity of state and federal laws, those which compete with each other, and beg the court forgiveness based on, "There's so many laws I can't possibly be made to keep track of them not to mention the laws that are no longer actively exercised in courts" they'd laugh at you.

A corporation like Google does it and the court agrees. Corporations are not people in the worst way possible.


Which is also weird, because it is a far better reason for an individual than for a corporation. An individual is limited to their own time and expertise, whereas a corporation is only limited by their willingness to hire additional workers and expertise.


it depends on your lawyer and on your face/outfit really


Indeed. Saying: “Obeying the law doesn’t scale.” is an admission of guilt with pre-meditated intent to break the law. I keep hoping the courts will drive that point home at some point.


If you lead with the big ask, you frame the entire conversation around it. One should always start one's argument with question-begging, and disqualify people who don't accept the question begging as not serious about having a discussion.

"The laws are impossible to follow at scale. How do we fix that."

Or as a thinktank feeds it to a speechwriter to a politician: "Our antiquated laws have failed to keep up with the speed of technological development, and are now becoming an active handicap on progress. We need a set of laws that are as forward-thinking as our best selves hope to be, and a set of legislators that are responsive to the energy and creativity of the young while respecting the intelligence and hard-earned wisdom of the old."


If you tried to buy ads claiming to be Google.com but pointing to shadyweb.xyzjsiebsk.net you'd find out real quick that Google's legal ability scales just fine


I think politicians might even be willing to try to do that, but I doubt that regular people would be on board with that. This would most likely involve permitting a lot of things in society that we consider immoral right now (or at least objectionable to some extent).


Waiting for the law to change doesn't scale. Gotta be an asynchronous call. Just epoll the legislators.


I don't think "move fast, break things" meant the law, did it?


It's not uncommon to evaluate the value of enforcing the law. DAs do it all the time.


Of course that's not a valid defense.


Your business doesn't have an inherent right to scale


That's still the exact same dystopian take: complying with the law is too hard for Google so the law should change to the detriment of smaller entities.


Then your business is not actually scalable.


There is a whole genre related to this kind of dystopias, cyberpunk. Its predictions from 1980s and 1990s turn out to be increasingly true, sometimes in the grim parts, too.


We are already living in a dystopia.


Google does not allow trademark infringement in ads [1] and provides tools for trademark owners to prevent their trademarks from being used improperly.

The issue here seems to be that the Gimp team does not have a registered trademark for "Gimp" (at least not in the U.S). This can be verified at the USPTO website [2].

[1] https://support.google.com/adspolicy/answer/6118

[2] https://www.uspto.gov/trademarks/search


All ad companies need to respect trademarks and allow opt-out of reserved terms as a first class feature.

It's disgusting that a competitor can buy an ad for your brand on Google, Apple, etc. and place their result before yours. This is especially harmful for new, up-and-coming companies.

I've had competitors buy ads in our name before. It's a shameful tactic.

It's beyond unfair when these monopoly-like ad companies spent hundreds of billions to co-opt the web and personal mobile computing and shackle us to this fate. It's the nightmare Microsoft and AOL once envisioned, yet now it's actually come to pass.

We already pay for domains and trademarks. We shouldn't have to keep paying protection money to defend ourselves when we're already having to jump through the platforms' obtuse rules and pay their outrageous taxes.

Trademarks should be sacred, and no company should be able to profit off of yours.


> “obeying the law would not scale”

I’d love to see them trying that one out in an EU courtroom


> Also, a simple string match on the URL would expose the attempted fraud on Google's end.

I feel like your general argument is proving too much: Google clearly indicated this is an Ad, and you couldn’t reasonably hold Google or any other publisher of ads responsible for every claim made in every ad. However, I agree that the domain part is troubling, and even seems like a potentially misleading representation by Google — I’m surprised you’re able to set this arbitrarily. However, as discussed in a thread below, maybe you can’t and this is exploiting an open redirect in gimp.org? I think some details would be needed before you can jump to assigning blame so quickly.


> and you couldn’t reasonably hold Google or any other publisher of ads responsible for every claim made in every ad.

Why not?


This simply ends advertising, and publishing generally. I’m not saying that gross negligence is okay, but I don’t think verifying every claim is a reasonable standard (it would be impossible).


> "obeying the law would not scale"

Then don't scale...


> "obeying the law would not scale"

How can anyone argue against blocking ads when this argument is used literally in court as explanation for why they are unable to police the ads they're putting on their own platform?


GIMP is not a registered trademark anywhere in the world. Unfortunately. Which made it possible for a number of scammers to be really bold (and be punished in the end, on one of the occasions).


How much money should they bring to successfully fight this case?


This is also a huge issue with Blender and pops up on /r/blender from time to time.

(Here's a few random recent examples: https://redd.it/xxkx5s https://redd.it/vvrxko https://redd.it/xwkky8 https://redd.it/vuqu1r)

Ad networks and content providers get up in arms over widespread ad blocking but then allow stuff like this through.


Turns out uBlock Origin is the best anti-malware software there is. For some reason friends and family just don't seem to get malware anymore after I installed it on their browsers.


As soon as you realize how much of Google's bottom line is scam and malware distribution, it becomes really hard to view the company as anything but crooks.

Google's other big line of business is shaking down businesses for cash by selling the top result for someone's own brand name unless they're paid for protection.


Even if ads were 100% legit verified links, they would still be scams. Advertising is inherently untrustworthy. Why do people trust anything a corporation says about their own products? In the best case scenario, they're highlighting the pros and omitting the cons. Usually they're just straight up lying.

I want real opinions written by real people with no conflict of interest. People who are't getting paid by the corporation.


Advertising is not meant to be educational, it's meant to make you aware the product exists. Of course you're don't have to trust what the company is saying, but now you know their product exists and what it does. If it was something you were looking for, you can now research it and ask for opinion.


Advertising is manipulative by it's very nature. Being made aware that it exists is manipulative in a somewhat forgivable way, but often the words and message are intended to motivate people with various forms of emotional manipulation.

Advertising is pretty gross.

And maybe that wasn't always the case, and maybe it's also using advertising in place of another word, but that's where it's ended up in my understanding of the world.


To add,

It's become lifestyle sales, of you buy this, you'll be this. They use that technique just about everywhere now. Used to be just cars and fashion. Like someone else said, emotional manipulation, narcissistic [my add].

Most people don't think with logic, but with emotions, so they're easy targets. Which makes me sad, because frankly no one deserves to get scammed and lied to.

I'm the type of person to appreciate direct and frank discussion. Many don't like this, especially people having power ambitions.


Advertising is not meant to be educational, it's meant to make you aware the product exists.

That's maybe 10% of what advertising does. Everyone on the planet is well aware that Coke is a carbonated beverage.


> Advertising is not meant to be educational

And yet it tries do "educate" the public about why they should buy whatever product or service they're offering. Lies and half-truths are common.


In a post-Google world the purpose of advertising is to influence the internal associations someone has with a product or brand


I agree, but the fact that even if you hold the view that ads are beneficial to society, Google is still a bad actor and a net negative to all of us, is particularly noteworthy. We all pay for Google via folks paying ransoms and other scams, having to indirectly pay for high ad budgets every company has to pay off Google to avoid their own search result being squatted by a competitor, etc. There is no company on the planet that the world would benefit more from being shut down.


> shut down Google (paraphrased)

But the incentives for advertising remain the same, so another similar competitor with similar evilness would emerge to replace them.

I don’t believe the problem is “Google is evil”.

I think the problem is that the incentives create evil, and there is little effective effort (that I have seen) to fix Google’s incentives through legislation or other means.

I worry that many other major companies we interact with are heading down the same path.

TVs are one canary warning us.

Another example: Apple seems to be getting keener on advertising revenue, and I’m not sure that opposing incentives (within Apple or by their customers) are strong enough to overcome the financial temptation. That temptation leads to eventual sin (to use a religious metaphor!) Apple already commits egregious harm through many kinds of “free” apps.


10000% agreed


Why is this getting downvoted?


A large chunk of this websites user-base is working for ad companies like Google or Facebook. Another large chunk earns money from putting those ads on their apps.


Because it’s nonsense


Why?


[flagged]


> Linking to company websites so people looking to buy stuff that company makes can find it is a scam, because company websites are biased in favour of that company

This isn't a faithful interpretation of the argument. Most people don't use Google to look for things to buy. They use it to find accurate information.


Most people clicking on a link to a company website - ads or otherwise - do so because they want to hear what that company has to say about themselves and their products, not because their childlike grasp of the world makes them expect every result to provide utterly impartial information.


I wasn't even talking about paid links specifically. It's advertising in general that's the problem. Call me a child all you want, I don't care. The simple fact remains that they have an inherent conflict of interest. It's not an absurd argument at all. People who want to sell you something have every incentive to distort the truth and only fools believe them.


Arguing that advertising in general is bad is even more of a nonsense statement.


Yes. Please, people, stop believing their lies. Use your minds too. Don't just react.


I've had legit comments here downvoted too, probably some far right "activists" or corpo stooges doing stuff like that


Out of all legit things getting downvoted on this site you choose this one, a comment that is obviously just a low effort bait.


It's actually just my opinion. I'll even say it again: advertising is inherently untrustworthy, a nuisance and of negative value to society. I think it should be illegal.

If you think I'm trolling, report me. If dang tells me to stop, I will respect his decision. Don't accuse me of "baiting" otherwise. This isn't 4chan.


I would bet real money that a negligible amount of Google's bottom line is scam and malware distribution.


I am confident even Google fails to understand how much of their own business is scams and malware.


This is not merely rhetorical. Nvidia, for example, was caught hard during the first cryptocurrency bust... and the second.


Were they caught hard or did they have a relatively small oversupply after milking the demand for as long as possible?


What's nvidia and crypto mining hardware got to do with Advertising scams? Mining isn't a scam in itself.


Oh it gets worse: Google has the gall position themselves on the authority on malware on the web [0], which they of course do with the same dedication to quality and support that they are known for in their other offerings. So they distribute malware themselves while defaming others with accusations of distributing malware.

[0] https://safebrowsing.google.com/


I haven't used Google Search in over four years but it sounds like they have followed the SourceForge path based on your description.


Pretty much, and worse


I put PiHole on a Raspberry Pi as the home's DNS and every time it blocks these links. I still click on them thinking they're taking me to the correct site, but then I realized PiHole "saved me". I configured my wife's computers to use the Pi too and she loves it.


Ublock make it that the links are not even displayed. You may be interested in https://github.com/Barre/privaxy


Yeah, blocking ads quickly became security improvement...


Always was. Does anyone remember the defacto original ad-blockers that blocking popups were? Firefox was marketed with this feature.

It is basically a condom for the Internet. It makes maintenance for family computers much easier.


> Does anyone remember the defacto original ad-blockers that blocking popups were?

I was using the Internet Junkbuster (and later: Privoxy) in the mid-90s, many years before that. https://web.archive.org/web/19961222061917/http://www.junkbu...

Of course, back then you could just disable javascript in your web browser to protect yourself from malicious sites and annyances, and practically all sites would work perfectly fine.


But if you block pop-ups, that web page with Rick Astley's cool video popping up won't play.

/s



Isn’t this a violation of the first amendment in the same way that a politician blocking someone on Twitter is?


That's cute. You think the NSA and the CIA care about the constitution.


I think people are missing the actual issue here. Google used to have a clear distinction between what's an ad and what is organic.

In these screenshots you have to pay good attention to see the top result is an ad.

To keep their conversion numbers up they had to constantly reduce the difference between the ads and everything else. The fact that they can do this and we are so used to it that we don't first identify that as the culprit is quite interesting.

I have ran a few Google ads in the recent years and the people who come through them, some of them, clearly have no idea that they have clicked on an ad. This might be good for business but I think it does more harm overall.


I see people do that all the time - inadvertently click an ad because it's one of the first few results that pop up. Not only that, the number of ads shown before the real result has increased too! Just the other day, my boss did a Google search for a common product and was shown at least FIVE ads before the first real result and had to scroll to see that result. I remember the days when you would see one or two ads and the real result as the first thing you saw after a search, not seeing only ads until you scroll down.


It's not enough. I used to always skip the ad of the canonical site I was looking for to avoid incurring them a cost when I knew what I was searching for.

But it's often no longer possible. The actual search reasult you want is the ad and the link is no longer duplicated in the organic search results.

So you have to click the ad.


Do you have an example of this? I haven't seen it.

Disclosure: I work at Google but not on Search.


you also have the option to not use Google and use DuckDuckGo or Bing instead


> You also have the option to not use [ad-funded search engine #1] and use [ad-funded search engine #2] or [ad-funded search engine #3] instead.


they used to have a yellow background, then a blue button with a white "advertisement" text in it, and it just got more and more subtle over the years. Now it's two characters of text


On mobile, the text saying Ad is the same size and position as favicons for regular search results, too.


The actual issue for me is Google allowing an ad to say gimp.com that is not gimp.com. Even if you see it's an ad and are interested, you are now at risk on Google.


While this isn't the root issue it is definitely a major concern that should be addressed. It's deceptive by nature.


EDIT: There is definitely a mismatch between the display URL and the landing page URL. It's not clear to me how that can happen; for example https://www.youtube.com/watch?v=jx-gl6K2zQw shows that only the display path can be edited (not the domain), consistently with the wording on https://support.google.com/google-ads/answer/2616010 and https://support.google.com/google-ads/answer/2375287. On the other hand, https://support.google.com/adspolicy/answer/6368661 talks about destination mismatch as if it is technically possible and just forbidden by policy.

The ad's ID is DChcSEwiPvfuL-YX7AhVmkmYCHUXQC1wYABAAGgJzbQ (displayed when reporting it), the display URL is https://www.gimp.org/ and the final location after clicking the ad is https[:]//gilimp[.]org/ (with no intermediate redirects via gimp.org).

Update: The DNS records for gilimp.org have been deleted. Archived snapshot: https://web.archive.org/web/20221029152445/https://gilimp.or....

-------------

Original comment:

The Reddit user says the ad's display URL was different from landing page URL. If that's the case it is particularly concerning. I believe Google Ads only allows the advertiser to set the path component of the display URL, and takes the domain from the landing page (real) URL; so it's unclear how the mismatch could happen.

Maybe the Reddit user took the screenshot on a separate occasion from when they clicked the malicious link, and the ad changed in that time (currently I can see an ad for GIMP, and it links to the official domain, and the linked Twitter thread linked by @pmoriarty says the attacker is actively changing things). The only other explanation I can think of is that the official GIMP website has an open redirect vulnerability.


Yeah Google Ads lies about the destination URL, it always has. Which is why the correct choice is to consider Google Ad links malicious by default. There's actually no way to be sure where clicking them will send you, and tons of fraudsters have put scam ads with the official legit domain listed.

I've seen both Amazon and Best Buy URLs on scam ads.


The entire hackjacking of the URLs needs to stop. It is destroying the web. From Safari hiding the full path in the browser in the name of "minimalism" to AMP and all the other bullshit.

URLs are sacred. Please don't fuck with them. Please.


> From Safari hiding the full path in the browser in the name of "minimalism"

That was never the intent of hiding the path, it was and is to help users identify what a site’s domain actually is. To distinguish malicious sites with recognizable domain-like strings in/overlapping their paths as well as malicious sites with recognizable domains as subdomains. It’s not a panacea, but it’s effective. Chrome (and IIRC Firefox) also experimented with similar approaches before ultimately splitting the difference with higher contrast text for the domain.


This is possible with all advertiser platforms, they dont validate for your domain and will happily link to any domain.


Just to avoid no confusion, the issue here is that the URL displayed in the ad (and also when hovering over it) has a different domain from the page the user lands on when they actually click the ad. It's not about whether the advertiser owns the domain.


Assuming you meant "just to avoid any confusion" :)


I can't get the ad to show up for me, but maybe GIMP has an open redirect on their website and the malvertiser is taking advantage of that?


That's what I thought too, but I managed to get the malicious ad and confirmed that it's a destination mismatch in Google Ads rather than an open redirect (no requests to gimp.org in the network monitor).


I had to search for "gimp.org" to get the ad to be the first result; just searching "gimp" doesn't return the ad.

The scam ad says "gimp.org" but if you follow it, the landing page is hosted at gimp.monster. It's a clone of the proper gimp.org with a the download instead pointing to who-knows-what .exe on Dropbox.

WHOIS gimp.monster has WHOIS-guard, but the Icelandic "privacy" address turns up a bunch of Reddit links about scam sites. Namecheap is the common thread, but that's hardly a lead.


You can just set any URL you want


Do you know how that can be done? Based on the video https://www.youtube.com/watch?v=jx-gl6K2zQw it looks like only the display path can be edited (not the domain).


You can’t set the domain. Just the path.


Have you run Google Ads before?


I run Google Ads for a living.


Update: It used to be possible to set the Display URL field to an arbitrary value, see for example https://www.youtube.com/watch?v=AQFR8eJlYxQ&t=100 (2015). Maybe it's still possible somehow.


Just tested, you can still see this Ad if you search for gimp!


I don't see any ad when I search for "gimp". Maybe it's only targeting Windows users?

edit: nevermind. I was being saved by ublock origin. Searching with it disabled shows the malicious ad.


IMO checksums more or less offer a false sense of security for users if they're stored/shared on the same page/domain as the download, since it'd be trivial for a bad actor to change them if the files are compromised.

Linux mint, for example, the attacker updated the checksums for the ISOs on the page when it was compromised https://www.infoworld.com/article/3036178/lesson-from-linux-...

I don't really have a solid solution to this, besides searching the checksum on google to see if it's listed anywhere else as a soft 3rd party check


OpenPGP signing keys have similar problems. Web of Trust is useless if you don't know any developers to begin with, dates on public keys can be forged, and false signatures can be forged by creating a large number of other false keys. False keys can be made more misleading using 32-bit short Key ID collision (and don't blame OpenPGP for this, OpenPGP is notorious for its complexity but at least it tried, meanwhile alternative tools like OpenBSD's signify does not attempt to address this problem - these tools of course are simpler).

Surprisingly, I think no attacker has ever forged a OpenPGP signature in a real-world security incident, likely because there's a lack of overlap between crypto nerds and crackers.

Though, public keys do not change often and leave somewhat of an "audit trail". I usually search the key fingerprint on the web to see if it has been mentioned elsewhere as a quick check. Some projects store signing keys in an official upstream git repository. It's somewhat of a higher guarantee, but one can still creates a false upstream page for phishing... But I guess it's too much of an effort so nobody has tried to do this, yet.

Thankfully, for distro users, it's only something for packagers to worry about, end users always receive verified packaged via the distro package manager.


The big advantage of an OpenPGP signature over a checksum/hash is that you only have to verify the identity once. The identity can be used to verify the signatures of an unlimited number of files. That is as opposed to requiring each file to have a separate checksum/hash. Much more opportunity for deception on the smaller scale.

A perhaps less appreciated advantage is that in practice the identities are stored offline with each entity that will be verifying the signatures. So an attacker has to justify the use of the new identity to what would normally be a large number of entities. That might explain why that sort of attack is so rare.


Efficiency on scale instead of detail.

A hash method would quickly run out of disk space before it could be used to verify every single file. Hence hashed b-tree for xfs (or is it jfs? I forget), and stuff like that.

A verify once used many times method is more efficient on a large scale.

I'm no maths expert, heck i don't even know calculus.


> Surprisingly, I think no attacker has ever forged a OpenPGP signature in a real-world security incident, likely because there's a lack of overlap between crypto nerds and crackers.

I suspect in the real world almost nobody validates PGP keys of software downloads manually. They might do it automatically (for example via a Linux package manager), which a fake key wouldn't fool. Thus, faking the key isn't necessary because 99% of users that could be fooled won't bother checking.


The 1% that do verify it would report the issue and alert others.


Checksums are meant to verify data integrity. Who ever said otherwise?


It doesn't matter, people still use checksums as a signal to verify if a download has been tampered with


> it'd be trivial for a bad actor to change them if the files are compromised.

But it's trivial for responsible members of an organization to set-up a continuous, automated verification of the checksums listed on a web page. It wouldn't be practical to do that with the ISOs, directly.

Of course if the organization is lazy or incompetent, and chooses not to do so, then they have only themselves to blame. But if you fail to compare your downloaded files to the listed checksums, that's all on you.


> I don't really have a solid solution to this

My solution to this when designing Homebrew’s binary packages was to store the checksums for the binaries in Git but the binaries themselves elsewhere (inspired by Homebrew already storing source checksums in Git).

On Homebrew, therefore, you’d have to compromise both the binaries and the Git repository.

These are both nowadays on GitHub but the binaries in GitHub Packages are addressed by their checksum and the Git repository has a good audit log.


Put the checksums in a separate system such as the DNS. Use DNSSEC on your domains. Manage your DNS system as an isolated system (don't mix your HTTP/Email/Other stuff with your DNS provider). Now, users may verify the downloads you provide at your website by getting checksums from the DNS.

DANE may be of interest here as well:

https://www.infoblox.com/dns-security-resource-center/dns-se...


Is there any tooling around this?

In particular, it's crazy that I can't just stick a public key for my email address in the DNS record for my domain, and have email auto E2E encrypt to it.

(No, that wouldn't scale for gmail, but they could do a two level thing, where the gmail key signs the public key for each mailbox -- assuming people bothered to set up their own keys, or that gmail just silently opted them in to server side encryption.)


How does DNSSEC help here at all? We're talking about the security of checksums of data on pages. DNSSEC only addresses the name lookup.


That just makes DNS the single point of failure. If you own DNS, you can change the checksum and the download all at once.


Apparently the malicious ads are hidden when using uBlock [1]

[1] - https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...


That's precisely the reason why I use uBlock


Remind me why Google even allows ads in rank 1 on brand terms? I remember when "don't be evil" Google would talk about how ads are in a different color on the right sidebar.


Not only do they allow it, they actively encourage it. They tell businesses that it's really important to buy ad space on searches for your own brand name so that a competitor doesn't.

The way they say it really comes off like a protection racket. "Nice number one spot for searches for your brand name you have there, would be a shame if anything were to happen to it."

They make people feel better about it by giving a steep discount over normal ads, but that doesn't make it less of a racket.


Experienced this as someone doing ads for SMBs. The Google advisers call and after messing up the configs for your campaign (to your disadvantage that is) they advise you to include your brand name as keyword. No matter that 3 out 3 Top results are already for your company.


I noticed this on the App Store the other day. I searched for YouTube and the first result was TikTok.


> They tell businesses that it's really important to buy ad space on searches for your own brand name so that a competitor doesn't.

The term for this is "racketeering."


But if you have trademark for brand name you should be able to prevent others from using it, right? https://support.google.com/adspolicy/answer/2562124?hl=en


I don't think that someone could actually use your brand name and get away with it long-term (though, short-term, as the original post evidences, isn't guaranteed) but a competitor can absolutely buy ad space trying to steal your customers.

Like, if you search for "Nike" and Nike hasn't bought the branded ad space, you might get an ad for Adidas as the top result, with Nike's homepage the fourth item in the list.


Trademark law likely requires you to do so.


This is a particularly egregious case, I've never seen a fake domain slip through like that before.

However, I have reported dozens of phishing sites for the company I worked for. The phisher would simply buy ads for $BRANDNAME and create a convincingly similar site and phish users. I would report the website to "safebrowsing" and report the ad. Typically it would take 1 to 3 days for the website and/or ad to be removed, which would give them enough time to do countless damage. Then they would simply register a new domain, and repeat.

At some point the only thing you can do is outbid phishing sites for your own brandname?!

It's a shame google can not self-regulate such evil behavior, but it's clear that it should be illegal for google to allow people to buy ads on brandname searches.


Why is this allowed? I know Google will do anything for money, but why is Google allowed to signpost a link to gimp.org which actually takes you to g--imp.org (sanitised)?

I mean, if nothing else, how do they not share the liability for damages done by the spyware they're literally promoting? For the businesses squatting on the names of more notable ones? AdWords goes too far.


It's not allowed. It'a a violation of Google advertiser policies.


The point is that Google should not be allowed to let those malicious ads through and be held accountable for the damages, both to the GIMP project in this case as well as to whoever may have clicked on the malicious link and installed the malware.


They turn a blind eye when it suits them such as the "misleading thumbnail" policy on YouTube that's never enforced.


It empirically is allowed, though. Google is welcome to claim that it's against their rules, but they still let it through.


Do you know how many they ban on a day to day basis? You don't see those, you only the few that get through.


Ban? They shouldn't need to look for bad actors or ban anyone†, they just shouldn't let people spoof the domain on an advert. At all.

What's happening is Google would rather accept the cash up front and keep it if and when someone reports an ad. No forethought is given to people tricked by this.

† Obvious exception for unicode squatters but even they should be filtered out entirely automatically. Invisible or misleading characters in your domain should be automatically blocked.


I don't care how many they rejected, I care that they published more than zero.


I feel that what they meant was, why is this even possible to do


To see the OP without enabling javascript:

https://nitter.net/gimp_official/status/1586330082221510656


  > dig +short gimp.monster
  
  194.110.203.75
  
  > whois 194.110.203.75
  
  ...
  role:           IT Resheniya LLC
  nic-hdl:        ITR30-RIPE
  address:        ul. Novoselov, d. 8A, of. 692
  address:        193079 Saint Petersburg
  address:        Russia
  abuse-mailbox:  abuse@rentaserv.su
  ...


Rentaserv.su is a hosting company, there's probably dozens of websites on that IP.


Yes, Russian websites.


Does anyone have a copy of the exe?

Would love to poke it for research.

Edit: Here be dragons. Found a source: https://old.reddit.com/r/GIMP/comments/ygbr4o/dangerous_goog...


If anyone is mildly curious but doesn't want the actual EXE, here's the VirusTotal analysis:

https://www.virustotal.com/gui/file/acea176b67cb7c77dfd0780f...


That is a lot of red but don't be fooled - it doesn't actually say anything. Those are mostly generic machine-learning results which are prone to false positives which neither the AV vendors nor the operator of VirusTotal (surprise: it's Google again) care to do anything about.

Of course whoever went to the trouble to create the scam sites and ads probably also did modify the executables in some malicious way.


Happens for me. Ad says "gimp.org" but links to "gimp.monster". Reported.


Well, it just took me to "giipm.org", a remarkable 10 hours after this was originally posted. It shows "gimp.org" in the status bar when I highlight it with the mouse, but of course "copy link address" just gets a link going through www.googleadservices.com/pagead/ with some long hashes at the end.


It looks like the Dropbox file at least 404s now. IDK if that is the attacker bailing out or Dropbox actually doing something faster even though it arguably didn't do anything wrong. But Google, the enabler is still sitting on its hands.


I just tried it and now it is 'gilimp.org'

The site looks legit


What do you mean it looks legit?

You think "gilimp.org" is legit website for gimp??


I read that comment as "the site [does a convincing job of looking] legit". Hopefully it was just worded poorly!


Scammers also create ads with fake support contact phone numbers for businesses. People call the scammers and they act like the company and run their scam.

Google also allows many deceptive AdSense ads, I constantly have to block ads that run on my website that are nothing but a big "Download Now" button which lead to some malware.


Another variation is for scammers to update the number on google maps to their premium number. Calling it still forwards to the real call center. You can often spot people complaining about a free call to X org costing them hundreds of dollars in google reviews of the company.


Reported to Google, for whatever that's worth. Currently (12:42 Eastern, 29 October) the ad is #1 hit and links to www...giimp...org which further links to some very sketchy looking downloads off the discord CDN.

I've been using Bing for a year now. Not perfect, but 1) never seen something like this on it and 2) if Google feels less like an invincible monopolist, perhaps they'll have some incentive to provide an acceptable service.


How is it even possible to spoof the shown URL?


It's just a setting in Google AdWords. The display URL and target URL are not related. You can also play tricks like a "tracking URL template" that is a URL that can be on another domain and receives the "target URL" as a parameter. It is expected to redirect to the correct URL, of course nothing enforces this other than a manual review.

I can't believe that Google allows this but tracking is clearly more important to them than user security.


I don't have as much a problem with them hiding the display url, but what shocks me is how it also masks the URL in the status bar. If I can right-click and copy the correct URL, then why isn't Chrome* showing me that URL down below?

*Yeah, I know, I kind of answered my own question. So I guess it's rhetorical, and less shocking in retrospect.


They should not allow this. At the very least, the actual and the displayed url need to be on the same domain, and preferably the displayed url needs to be a substring of the actual url. That way they can still pass parameters for all sorts of statistics.


Of course it is, they live off ads.


Kind of wild they don't require domain ownership proof in this case though, if I'm displaying one domain but actually linking to another, I should need to prove I own the original domain


Yes, but people don't come to Google for ads, so they need to balance the benefits and harm to the users to avoid losing the traffic.


Pay Google money, and they'll let you do all sorts of things you're not supposed to do.


Please use old.reddit.com when linking from HN :(

Maybe dang could even make it an automatic redirect?


For anyone who actually wants the issue resolved and help innocent people -- Report the ad. Click the 3 little dots.


It would be quicker to make ad platforms and ad presenters liable for damages, and pay for fees and fines.

Old school ads only threatened to stink up the room with the scratch and sniffs....


This has been happening to a smaller project I am affiliated with for years. You can report it to Google - typically they ignore the reports. Occasionally they'll remove the offending ad, but they are just replaced with more ads the following day. I don't think it's preventable.


It is with a trademark lawsuit. You don't need to fight, you just need to file the lawsuit.


> a smaller project

Filing a lawsuit is not something within reach of most smaller projects.


If it says gimp.org it should go there and nowhere else.

Or at least validate ownership of the target domain.


This is outrageous. We need to find a way to stop Google. Google invades our privacy. Google holds us hostages for more money. Now this? When is enough is enough?


As outrageous as a site having a leak or being hacked. As for what someone can do. It's simple. Don't use Google.


Easier said than done. It seems like 40 precent of sites or better use some sort of google service. Even if you arent 'using' google, you are being used by google.


Yeah, that's true. But you cannot do much about what a site decides to use. Maybe block every connection to Google servers which may break them. Can also stop using those sites as a protest.


One of the big problems here is when you cut out the big tech abusers you find out how hollow the internet has become.


Not using google doesn’t mean they aren’t using you. Kind of like the mafia.




I was able to find this by searching for 'gimp download', and the gimp.org displayed ad redirected to 'gimp dot monster' and looked pretty good otherwise.

This is amazingly frustrating because I've wasted weeks of my life trying to deal with how google usually makes this impossible.


Similar situation with Brave browser from a year ago: https://therecord.media/google-shuts-down-malicious-ad-posin...


Ad-blocking just shows how "the digital naive divide" evolved without them.

I can't say enough nice things about gl.inet deviced and switched to a cellular model when ad-blocking on a 4G ipad was too much trouble.

I orginally setup a Spitz gl-x750v2 and removed the ec25-af lte and put it in an external enclosure and move it between better spec'd gl.inet routers to run adguard home.

"Halt" is a good browser on IOS to block all YT ads, but a portable router workes well with a dedicated sim or tethering a phone.

Ads are soooooo 1980's TV :p


Not to defend Google but this has been against Ad Words terms for as long as I can remember. It’s surprising they found a way to evade auto detection for this.


> against Ad Words terms

Oh great, they'll get their account closed and need to make another one to continue scamming people.

How about Google fixes this by displaying the URL that the ad actually goes to?

Of course they don't want to do this because the URL with all of the tracking parameters looks ugly and it would hurt conversion rates. $$$ > user safety.


It's kind of crazy when they could just extract the domain name, or provide options for how much of the url you want (domain? subdomain? path? ...)


But then it's not AMP!


Terms is just a document Google uses to absolve itself of all responsibility. Look! On this document nobody really reads it says we don't allow this. See? Not our fault that our advertising platform linked you to malware or to scam websites.

The proper response is of course to ignore their excuses and block all advertising unconditionally.


> Most marketing urls have those long ugly urls to tell the advertiser what campaign/source etc you clicked on. So Google let's the advertiser display a fake url for ads.

I expected Google Search ads to be above this. But in retrospect I shouldn't be surprised that ads would lie to you.


Going to www.gimp.org and attempting to render that webpage immediately crashes my entire X.org desktop.


People still haven't figured out to never click anything in that top ad section in search results?


Obviously not, and nobody should have to learn that. Let's fight against fraud and deception and don't normalize them.


Those that have also figured that ad block is essential nowadays.


Some queries return like 75% ads


Many years ago I found something similar with Firefox. I notified them (they had a legal category for bug reports, if I recall correctly), and they dealt with it quickly.

It's really important to report thibgs lime this to the developers and owners of the software.


Twitter similarly is full of ads/phishing attacks disguising as some other brands, banks etc.

I've reported dozens, yet they never finish coming at me.


yeah part of google worship has created common misconceptions like that things that appear in its automatic index are true answer to whatever question you have in mind (computers cant read minds). "this is the official link for some product" being only one possible question. then theres also the fact that a search engine cannot know the answer to "this is the right link for this software". i miss when search engines were just grep for the web and didnt pretend to be something more

this is a good example of how chicken shit design leads to security vulnerabilities. google probably lets the user post one link and make it lead somewhere else when you click it, as a "UX" feature. in reality it makes phishing much easier. this could have been avoided by not being a chicken shit and making links behave as one would expect, at the cost of 1% of use cases no longer working. the whole idea of treating URLs as a UX object is a misconception anyway, URLs should be opaque bit strings.


> a search engine cannot know the answer to "this is the right link for this software"

You would think keeping a curated list of well-known software projects (and others) would be low-hanging fruit. Instead, it is apparently better to throw money into complicated systems... that can't even catch the most basic form of linkjacking.

> this is a good example of how chicken shit design leads to security vulnerabilities. google probably lets the user post one link and make it lead somewhere else when you click it, as a "UX" feature.

I have always found a bit of subtle arrogance in this kind of thought process. It's like they've never bothered learning the basic functions of the web and how it is meant to work and think they know better than the original creators.


> and think they know better than the original creators.

This. Gmail freely warps the email standards when they feel like it. If AMP is a "standard" (I haven't checked) it's a standard that only Goo uses.


There needs to be better enforcement on preventing scam websites.


nothing new same thing happens with crypto searches.

solution is to install adblock on every device


It never ceases to amaze me that people will read something like this article and just assume it's correct.

Put on your thinking caps and play the game. What else could be going on here?


It never ceases to amaze me that people will read something this article or comment and just assume Google is correct.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: