Forum Overview :: Lively: Google Creates Something Terrible :: Link spoofing in ads

[quote name="Rafiki"]You know how when you hover over a link it will show you the target in the status bar? Google Ads have a feature where they allow advertisers to display a "friendly" link instead of the actual target (a redirect link so you can be tracked for analytics). Scammers managed to hijack some ads and used this "feature" as part of tricking people into continuing to their malware site. <a href="https://security.stackexchange.com/questions/161071/how-did-tech-supportcenter-phishers-trick-google">You can read the technical details here.</a> I'm glad I never clicked on actual ad links in the first place. [quote name="question"]I've always thought you can "hover" over a link to see where it really goes, until today. A coworker (working from home) searched for "Target" in Google Search (using edge). He clicked the top result, which happened to be an ad, and was redirected to a phishing page posing as Microsoft trying to get him to call a "tech support" number. I got the same results on a different computer, on a different network. When I hover over the link, both links show "www.target.com" at the bottom, but clicking the ad link takes you to a malware page and the second link (first search result after the ad) takes you to the real Target.com page. If displaying the wrong URL in the tooltip requires Javascript, how did tech-supportcenter get their Javascript onto the Google search results page?[/quote] [quote name="answer"]The scammers did not manage to inject JS into the search results. That would be a cross-site scripting attack with much different security implications than misleading advertisement. Rather, the displayed target URL of a Google ad is not reliable and may conceal the actual destination as well as a chain of cross-domain redirects. The scammers possibly compromised a third-party advertiser and hijacked their redirects to lead you to the scam site. Masking link targets is a deliberate feature of Google AdWords. It is generally possible to specify a custom display URL for an ad link which can be different from the effective final URL. The idea is to enable redirects through trackers and proxy domains while keeping short and descriptive links. Hovering over an ad will only reveal the display URL in the status bar, not the real destination.[/quote][/quote]