News flash folks, Google AdWords is not perfect and can be exploited. There are times when people can go into the AdWords system and trick Google into serving up ads for phishing sites and malware downloads. Yes, this happens and happens often enough.
I am not trying to depend Google but they probably automatically approve tens of thousands of ads daily. There is always a possibility of someone getting through the system. Let me share two examples.
WebSense reported Google was serving up an AdWords ad for a site that was having users download malicious software. The software was disguised as Winrar application and was showing up for a keyword search on winrar. WebSense goes through the details of how this specific application infected a computer.
The second case was sent to me by a reader this weekend. She showed me how a search for adwords, yes, Google’s own trademarked product, was returning an ad at the top promotion spot, that was disguised as the AdWords login page. Yes, this page was a phishing page, used to capture the username and password of unsuspecting AdWords advertisers. You were taken from the ad, to a site that looks exactly like the true AdWords login page, then, once you submitted your username and password, it would then redirect you to the true AdWords login page. But the redirect would only happen after this phishing site has already stolen your login credentials.
Here is a picture of the ad:
And it led to ad-wordsgoogle.com, which is no longer live.
I notified Google and it was removed a few hours later. I didn’t blog about it then because, like I said above, “AdWords isn’t perfect” and they make mistakes.