Disclaimer:
While I authored this paper a few years ago, you can still find fraudulent ads everywhere in Google’s Search, with many that are often shown first. As a self-described fanboy of Google, I had no intention of being negative against the company, but as I scanned through this paper to check for any updates that I needed to make, I realized that many of the problems I originally discussed had not been solved yet.
Abstract
From 2016 to 2017, Google saw the number of ads embedded with malware double (Shankland, 2018); while Google managed to block 79 million of these, there are always those who sneak by and go unnoticed. Some attackers even leveraged Google advertising products themselves, such as the Google AdSense Scam (smallbusiness.com, 2017). Critics accuse Google of being complicit, along with happily charging advertisers for ad views that Google’s own fraud security system has identified as being committed by bots.
Google counters that it is working hard to do better and live up to its former motto, “Don’t be evil.” Per Google’s Director of Sustainable Ads, the company removed over 3 billion policy-breaking ads in 2017 (Shankland, 2018). Google is also cracking down on certain fraud-prone industries; this includes advertisements for risky financial products and cryptocurrencies. Certain advertisers will have to be accredited by Google, which will require proof of licensure, compliance with Google Ad policies, and adherence to US/local law (Google, 2018).
Introduction
No paywall greets the user when they enter the World Wide Web; this is nothing short of a miracle and can only exist thanks to web-based advertising (Spencer, 2018). Google has one of the largest ad ecosystems on the Internet. Per Consumer Watchdog, 90% of Google’s revenue came from its AdWords service. Google recognizes the power/importance of its ad ecosystem and runs a robust quality assurance campaign to shut down malvertising. In 2017, they blocked 79 million ads, removed over 114 million ads, and cut ties with 320,000 of the ads’ publishers for bad practices including “cloaking violations”. A cloaking violation is where an advertisement is disguised with a click-bait celebrity headline (Spencer, 2018).
Google is constantly updating its policies to stay ahead of the newest schemes and scams (Spencer, 2018). However, its adherence to these standards is up for debate. In the recent past, Google has partnered with some arguably evil advertising campaigns like mortgage modification scams and has been rumored to accept profits from the misdeeds of bots. This post will discuss the ways that white-collar criminals use Google for nefarious ends and summarize Google’s efforts to block them.
Mortgage Modification Scams:
In 2011, the Office of the Inspector General of the Troubled Asset Relief Program (SIGTARP) uncovered 85 mortgage modification scams that were advertised via Google. After the mortgage crisis of 2008, the modification industry proliferated, and companies paid top dollar to Google for ad space. The pay structure entitles Google to pay for every click on the ad. Circa 2011, that payment for appearing in the results of a “stop foreclosure” search was $8.29 per click, with an average of 74,000 searches and potential clicks per month. During that same period, “loan modification” received 301,000 searches monthly (Consumer Watchdog, 2011).
Scammers took advantage of this market in multiple ways: some created fake mortgage modification companies that posed as regulatory agencies; some claimed that President Obama or a major news network endorsed their mortgage repair services; and some falsely claimed to be nonprofits. It is worth noting that a 1952 Appeals court ruling found that falsely implying a government affiliation can legally qualify as “deception” and lead to legal action. The FTC invoked the precedent set in this case against MakingHomeAffordable.gov, which posed as a government entity but was selling inquirers’ data mortgage modification companies (Consumer Watchdog, 2011).
During a 2010 Consumer Watchdog investigation into mortgage modification ads that appeared on Google, they found numerous scams that motivated them to write a white paper documenting Google’s failure to provide adequate oversight of its ads. Examples of scams included companies using fake VeriSign security logos. Two of the examined companies had already been shut down by the FTC yet were still buying and receiving advertisement space on Google.
See the table below for a further sampling of the fraudulent results Consumer Watchdog encountered in 2010 when Googling “stop foreclosure” or “mortgage modification”:
| Website | Fraud |
| ObamaHelpForeclosure.com | Not associated with the government; associated with a convicted telemarketing fraudster |
| http://www.fedmortgageloans.com, | Not associated with the US government; obtained personal data which was then sold to a for-profit company in UT |
| http://www.stopforeclosurequick.org | Claimed to be associated with two fake nonprofits |
| http://www.freeloanmodinfo.net | Makes false guarantees; has retained payment for services never rendered |
| http://www.usmortgagebailout.com | Falsely claimed to be licensed; falsely presented as a nonprofit; |
Per Consumer Watchdog’s white paper on the subject, the Federal Trade Commission (FTC) considers fraud endemic within the mortgage modification sector. The problem was so bad that the FTC launched Operation Stolen Hope to protect desperate consumers. As of 2011, they’d brought legal action against over 25% of the mortgage modification companies. Consumer Watchdog posited that Google was aware of the deceptive advertising the mortgage scams engaged in, but blithely accepted their advertising dollars anyway. The non-profit group called on Google to donate the revenue to homeowners in need (Marketing Weekly News, 2011).
The Lanham Act makes media companies responsible for the content of their ads and provides injunctive relief to consumers when and if the media companies fail to do so (Consumer Watchdog, 2011). In keeping with this federal regulation, Google has an ad policy that should prohibit them from accepting deceptive advertising campaigns. However, Consumer Watchdog alleges that Google “typically” refused advertisers of the mortgage modification sector only after they’d been sued by a federal regulatory agency (Consumer Watchdog, 2011).
Another issue is that of bots. The Times conducted a study that validated claims of Google charging advertisers for bot views of ads on YouTube videos despite being alerted by their fraud detection system (Dean, 2015). Google must do better if it hopes to maintain its credibility – and per Jeff Sauer of Data Driven, Google has been making an effort to better filter spam bot views in its Google Analytics via its black-box solution. Users can go to Google Analytics and check “Exclude all hits from known bots and spiders” under settings, though in Sauer’s experience, this is only effective 60% of the time. (Sauer, 2020). Bot traffic can be identified by its session brevity and originating locations being “not set”. However, this solution only purifies the Google Analytics data stream and leaves the charges for bot views of ads intact.
Google Mitigations
Google recognizes that its industry prominence makes it a highly valued target for hackers and scammers; as it identifies how criminals take advantage of its site, it creates various mitigation strategies. This includes publicizing scam reporting and tech support resources. Below is a table of scams and descriptions that Google previously created for specific reporting/tech support URLs (smallbusiness.com, 2020).
| Scam | Description |
| Google Lotto Scam | The subject receives a phishing email requesting PII to claim a payout or processing fee. |
| Gmail Tech Support Scam | Non-Google entities advertising fake Gmail tech support and requiring payment. |
| Gmail Wallet Vehicle Purchase Scam | False ad for an inexpensive vehicle with a false time expiration on the deal. The seller requests payment from a wire transfer service but formats the invoice to look like it’s a Google Wallet transaction. No goods are ever received. |
| Google Job Offer Scam | Offers fake job opportunities after payment of a training fee/PII filled out on faux employment forms. |
| Google Account Recovery Scam | Smishing scam via a text that claims the victim’s Google Account has been hacked. Contains a phishing link labeled Google Account Security Settings. |
| Google Top Placement/SEO Scam | Promises, for a fee, top billing in AdWords. |
| Google Maps/SEO fake invoices | Victims are told they must pay a fee to have their business appear in Google Maps. |
| Google/Zagat Job Scam | Offers fake job opportunities after payment of a training fee. |
| Gmail update phishing | Vishing calls or phishing emails claiming to represent Google’s AdSense, citing a refund that requires a “deposit” for release. |
| Google AdSense Scam | Vishing calls or phishing emails claiming to represent Google’s AdSense, citing a refund that requires a “deposit” for release. |
| Tax Payment Scam | Vishing calls or phishing emails impersonating the IRS and requesting payment in Google Play Cards. Threatens the victim with arrest, deportation, or license revocation. |
Google is open about the struggle it faces in getting ahead of the criminals exploiting its platform. As evidenced, the scams referenced in the previous table are already obsolete – though that doesn’t mean they won’t resurface in some other shape or form at a later date. Google’s Director of Sustainable Ads, Scott Spencer, provides perspective on the scope of the problem: “In 2017, we took down more than 3.2 billion ads that violated our advertising policies” he says, going on to note that this number is nearly double the amount of ads the company pulled in 2016 (Shankland, 2018). That breaks down to an impressive 100 bad ads removed in a second.
Additionally, they’re continually updating their policies to allow them to remove bad actors legally. In 2018 they updated their Financial Services Policy to forbid ads entirely from fraud-prone sectors.
| Risky Financial Service: | Definition | Status |
| Contracts for Difference | “Financial contract that pays the differences…between the open and closing trades.” https://www.investopedia.com/terms/c/contractfordifferences.asp | Ads for aggregators/affiliates are no longer allowed on Google. Direct ads require advertisers to be certified by Google |
| Rolling spot forex | Speculates on price changes between predetermined pairs of currency https://www.dukascopy.com/media/pdf/KID/KID%20-%20CFD%20on%20Rolling%20Spot%20FX.pdf?c=8 | Ads for aggregators/affiliates are no longer allowed on Google. Direct ads require advertisers to be certified by Google |
| Financial spread betting | Betting on the rise and fall of stock priceshttps://www.investopedia.com/articles/active-trading/082113/what-spread-betting.asp | Ads for aggregators/affiliates are no longer allowed on Google. Direct ads require advertisers to be certified by Google |
| Binary options and synonymous products | The buyer either makes a profit or takes a loss after a certain amount of time – based on a stock price being above or below a predetermined threshhold.https://www.investopedia.com/terms/b/binary-option.asp | Ads for aggregators/affiliates are no longer allowed on Google. |
| Cryptocurrencies and related content | Digital currency to include Ripple, Litecoin, Tether, Bitcoin Cash, Libra, Monero, EOS, Bitcoin SV, or Binance Coin.https://www.investopedia.com/tech/most-important-cryptocurrencies-other-than-bitcoin/ | Ads for aggregators/affiliates are no longer allowed on Google. Direct ads require advertisers to be certified by Google |
But Google still has its critics. The London-based Mirror identified AxaGB.com and CrownCompare.co.uk as two phishing sites that appeared in Google Ads. A 45-year-old London train driver lost his savings after being directed to what turned out to be their fraudulent sites. They promised him 11% returns on his investment. As a result of these types of issues, the British Advertising Standards Authority set up a Scam Ad Alert. The idea was to enlist the public’s help to notify Google and Facebook when scam ads on their sites.
The Mirror aptly inquired why a British agency should do Google and Facebook’s jobs for them? Why do these media giants not reinvest some of their ad revenue to improve their own internal processes? They didn’t find Google’s reporting mechanisms that were in place up to the task, or accessible enough for the average user.
Conclusion:
The World Wide Web can be like the Wild West, and even monoliths like Google are not fully tamed/entirely safe places to roam without caution. While Google has taken steps to put policies and reporting mechanisms in place to stop bad actors, click on its advertisements with caution and be wary of unsolicited emails!
References
11 Google Scams and Links to Google Support for Each: 2017. (2017, May 09). Retrieved July 06, 2020, from https://smallbusiness.com/tech/google-advice-avoid-scams/
Consumer Watchdog Calls on Google to Donate Tainted Revenue from Deceptive Online Ads It Published as Feds Shut Down 85 Mortgage Modification Scammers.” Marketing Weekly News 3 Dec. 2011: 115. Business Insights: Global. Web. 14 June 2020.
Consumer Watchdog’s Inside Google (2011). Retrieved from https://www.consumerwatchdog.org/resources/liarsandloansplus021011.pdf
Dean, J. (2015, September 24.) Google ‘charges’ for ads seen by bots.” Times [London, England] 24 Sept. 2015: 2. Business Insights: Global.
Financial Services: New restricted financial products policy (June 2018) – Advertising Policies Help. (n.d.). Retrieved July 06, 2020, from https://support.google.com/adspolicy/answer/7648803.
Google should AXA fake website ads; PENMAN mirror.co.uk THURSDAY 21.05.2020 DAILY MIRROR 27 DMUULS investigate@mirror.co.uk from the fishy to the fraudulent INVESTIGATES co @PenmanMirrorScammers pay internet giant to promote sites that target savers.” Mirror [London, England] 21 May 2020: 26. Business Insights: Global. Web. 14 June 2020.
Sauer, J. (2020, February 28). How to Identify and Remove Bot Traffic in Google Analytics. Retrieved August 03, 2020, from https://www.datadrivenu.com/bot-traffic-google-analytics/.
Shankland, S. (2018, March 14). Think before you click that ad because Google found 3.2 billion bad ones in 2017. Retrieved July 06, 2020, from https://www.cnet.com/news/google-removes-billions-of-bad-ads-in-2017-bans-publishers/.
Spencer, S. (2018, March 14). An advertising ecosystem that works for everyone. Retrieved July 06, 2020, from https://www.blog.google/topics/ads/advertising-ecosystem-works-everyone/.
Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2018). Digital crime and digital terrorism. Upper Saddle River: Pearson.
Categories: Security
Securing The Universe 