The ads are incorporated in Google AdSense, the program that allows website owners to display ads from Google’s list of advertisers. The Trojan Horse downloads itself onto an unsuspecting computer through a webpage and then replaces the original ads with its own set of malicious ads.
The program is nearly impossible to detect by the general public. However, Raoul Bangera, an Indian web publisher, discovered the bogus program and contacted the Google AdSense team. Bangera emailed the team a number of cases, including various screenshots and log and system files of an infected computer, which Google validated.
“We can confirm from the screenshots that these are fake Google ads, formatted to look like legitimate ads,” the team wrote to Bangera. “We agree that this phenomenon is likely the result of malicious software installed on your computer.”
Specifically, after a user has clicked an ad, the malicious software forwards the user to three different sites consecutively, landing the user on a page with a bevy of ads and links to additional ads. Consequently, true advertisers and publishers with Google are deprived of potential revenue. Bangera said most of the ads he was redirected to referred to gambling and adult content, leading to his initial suspicion as Google AdSense bans such content.
“There is a bug in the Trojan Horse which converts Google and Firefox referral graphic buttons into text links,” Bangera said. “Contrary to the normal Google ads, which have some correlation to the content on the web page, these malicious ads had no content that was remotely similar to the pages to which they had been attached.”
Bangera also said he noticed that the Google AdLink Ads and its premium publishers have remained unaffected by the malicious software, which seemingly attacks smaller publishers in AdSense.
Previously, in January, malicious code was installed on computers visiting Google AdSense after Google removed various ads.
Google is reportedly currently working to fix the vulnerability.