Malicious software targets Google AdSense ads

It was only a matter of time before a trojan or virus targeted AdSense or YPM for malicious activity, and the time has come. A new trojan horse discovered by an Indian publisher replaces Google AdSense ads with their own ads, advertising sites including dating, sex, viagra and weight loss. This trojan is very recent, because it not only converts regular AdSense ad units, but also the Google AdSense and Firefox referrer buttons into text links. reports that a new, deceptive Trojan Horse program has surfaced. The program is engineered to produce fake Google ads that are formatted to look like legitimate ones. The ads are incorporated in Google AdSense, the program that lets website owners display ads from Google’s list of advertisers. The Trojan Horse apparently downloads itself onto an unsuspecting computer through a web page and then replaces the original ads with its own set of malicious ads.

Techshout, which broke the story and also has quotes from Raoul Bangera who discovered the new trojan, does not reveal the website that the computer was originally infected from, nor the name of the trojan horse. A quick scan of several security sites does not have any details on this particular threat. However, there have been previous cases of spyware which would overwrite AdSense ads.

The Google AdSense team did not confirm it was specifically a trojan, but did state they believed it was malicious software that Bangera had discovered.

Since the Trojan Horse makes the deceptive ads look like normal Google ads, the program was nearly impossible to detect by the general public. However, Raoul Bangera, an Indian web publisher, discovered the bogus program and contacted the Google AdSense team. Bangera emailed the team a number of cases, including various screenshots, log files of an infected computer and system files as proof. The AdSense team validated the news saying, “We can confirm from the screenshots that these are fake Google ads, formatted to look like legitimate ads. We agree that this phenomenon is likely the result of malicious software installed on your computer.”

There was no mention if YPN or other contextual ads on websites were being overwritten with this as well.

The ad units themselves look extremely similar to regular AdSense ad units, complete with the “Ads by Google”, which has replaced the “Ads by Goooooogle” which appears on the majority of regular publisher sites. And looking at the screenshots available at techshout, it appears that it even utilizes the site’s own ad unit color theme when it overrides the ads with their own.

More details should emerge over the next few days, particularly how widespread this threat actually is, or if it is a more isolated threat infecting few users. And a note to surfers that if you see types of ads (such as adult ads) appearing in AdSense ad units – that are even branded as Ads by Google – that you could be a victim of this malicious software and that Google isn’t actually serving up these types of ads to you.

Share this with others!
  • Twitter
  • Digg
  • Sphinn
  • StumbleUpon
  • Reddit
  • Technorati
  • Mixx
  • Google Bookmarks
  • Facebook

14 comments to Malicious software targets Google AdSense ads

  • Google AdSense Trojan

    Here’s another Trojan that rakes in cash for those behind it – this one replaces Google AdSense ads that are displayed in the browser on affected machines with ads that generate revenue for those who released the Trojan.
    If you start seeing adu…

  • St

    It should be noted that it only affects the infected users. It does not modify the pages on the website. Uninfected people will see the ads properly. Using an updated anti-virus and Firefox are good measures to prevent these.

  • Trojan targeting Adsense ads

    Struggling to make a living from Adsense revenues? looks like things are going to get a bit harder with Jensense reporting the emergence of the first Trojan that hijacks your Adsense ads inline with ads for other services, and with the user probably be…

  • Adsense Revenue

    I promised myself that the first one hundred dollars (and the subsequent earnings too) that I get will go to one of the following organizations that I support:

  • TLB

    But, why? If these aren’t real adsense ads, then they aren’t making money from google. If they’re viagra ads, and they’re able to install software on the user’s computer, why not just take over their browser and send them to the viagra site in the first place?

  • Great… Trojan Horse Targets Adsense Ads

    …replacing them with ads of the hacker’s choosing. Just when I put the stupid things up….

  • Sending them to a viagra page by default would not have the same conversion as it would be if they were going there by choice.

    More, this kind of trojan is supposed to stay under the radar for a longer time, before the user actually realises that his computer is compomised.

  • Malicious software targets Google AdSense ads

    It was only a matter of time before a trojan or virus targeted AdSense or YPM for malicious activity, and the time has come. A new trojan horse discovered by an Indian publisher replaces Google AdSense ads with their own ads…

  • JK

    i think it is some competitors stunt

  • TLB

    Well, not to give anyone any ideas or anything, but if the first time someone went to a site they inserted a Salon-style full page ad – not from the site they were visiting but made to look like it – or otherwise made a big bright ad as opposed to just a little adsense-style ad I think that might have a higher conversion simply because the user was seeing a bigger, more detailed ad more often.

  • bryan taylor

    Is there a fix for this problem? I noticed this in my e-mail and on the guestt page of our church website that I do.

  • […] Check for blog spam Never got around to getting your Akismet API key? Do it now. Sure, if your blog is new, maybe you have been fortunate enough to only get a handful of spam comments and/or trackbacks on your blog, just enough that you can easily handle it in simple comment moderation. But trust me, there will be a tipping point when the slow trickle will become a flood. Has the flood already hit and you are knee deep in masses of comments awaiting moderation that you are certain legitimate ones are caught up in? Once the key is added, there will be a link to recheck the queue for spam and it will remove the bulk of spam. Think some blog spam might have slipped through unnoticed? Do a search within your WordPress comments tab, because it will search for keywords not only in the text but in the URLs as well. So do a search for the usual suspects of keywords such as poker, holdem, viagra, cialis, mortgage, loans, debt, payday, xanax, phentermine. That said, don’t go and delete all comments with those keywords without reading them first… they could be completely legitimate comments that are using one of those words for a legitimate reason. […]

  • […] Google will not allow advertisers with adult content period. Its against policy. You are seeing those ads because your computer is infected with spyware and or a virus. Malicious software targets Google AdSense ads | JenSense […]