AdWords Accounts Hacked
A user-side breach of security occurred on AdWords accounts in April 2007. Somehow, a malicious file was installed on users' systems. This file was used to steal the users' AdWords passwords and gain access to their accounts. The program then set up ads that changed the users' AdWords campaigns. Most notably, the changes included setting up links that would install a post logger, a type of malware, on the computer of anyone who clicked the link. The malicious program also modified credit card information and prevented the users' computers from accessing AdWords to see all of the changes on their accounts.
Roger Thompson of Exploit Prevention Labs points out that the hackers took advantage of the lack of a URL preview on Google's sponsored results. Meaning, if users hover over a sponsored result link, a preview of the address is not shown in the user's browser. See Thompson's screen shot for an visual explanation. A lack of this feature means that users have no idea where the links will actually take them, leaving them vulnerable to visiting Web sites with malicious code.
Google responded to the attack by reporting that they had canceled the accounts that were compromised and assured users that they were taking the steps necessary to keep something like this from happening again. Google also encouraged users to keep their computer's security up to date as the vulnerability was only successful because victims had not incorporated recent patches into their Internet Explorer browsers.
