"The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google."
OF COURSE they were verified by Google. Google verifies identity by accepting money. Give them money, and you're verified.
"Google representatives didn’t immediately respond to an email" Are there real humans at Google who actually answer email? I haven't seen a response from Google in more than a decade. It makes me wonder if all the phishing and spam I'm reporting even does anything.
Honestly, it's time for the world to move on from Google. They haven't been safe to use as a search engine for more than two years.
After clients had been sent to phishing sites by Google's ads, I decided to block these domains on all the networks I administer:
To be even more frank, Google's search capabilities diminished around late 2000s early 2010s for me. I used to be able to write out anything verbatim and find it. Now I can't even get the double quotes trick to work properly. Google's strengths have been slowly crippled for years.
Windows has a similar problem: marketing / ads is ruining an otherwise decent product.
I don't know if it still works, but plus triple double quotes used to work as a verbatim match. Iirc I picked it up here when they broke double quote search a while back (which they fixed at some point).
A tip I saw here a couple of weeks ago that restored some quality to searches was to, after searching, open the drop-down menu from “Tools”, select “all results” and then “verbatim”.
I do all of my searches in incognito so sadly I don’t know if the options is remembered or not.
Huh, I didn't know that. I now use a meta engine, so I don't really keep up with Google dorking, but that is good to know for the few times I fall back to a Google search.
Lately I've been finding that quoting doesn't have strong effects and even more frustratingly "-" appears to no longer do anything. So instead of filtering out the word it just ends up giving me that word more and I have to search some complex baby robot speech to get nuanced results. Or maybe Google just hates me
Are there real humans at Google who actually answer email?
Google's strategy has always been to focus on the things that scale. Having a human answer a phone or a mail doesn't scale, so no customer service for the users.
I think this is also the reason why these ads get through: to detect them they rely for a large part on crowd-sourcing: that "report a problem" link is IMHO one of their main mechanisms to deal with filtering out the bad ones. If more get through then it might indicate that the scale is tipping to the point that crowd-sourcing relies on too few people who go through the effort.
In that case, few things will actually scale for The Google except scaling itself. The only reason that The Google even has things like Gmail is they consider it a loss leader, and the only reason quirky things like Google Books still exists is because there is just enough engineers who care at that company that said projects get (barely) maintained. Otherwise, it's all about growth and scaling things, and because of the level of decoupling between the customer and the business model from direct-transactional perspective, there is little to no need to treat the customer as if they exist at all. The Google certainly have a very interesting business model, indeed.
In 2007 I had posted something on a message board that personally identified me. I had the post removed from the forum but it was captured on Google's result summary. I literally emailed Google asking if they could remove it and they not only did, someone responded saying "done."
> It makes me wonder if all the phishing and spam I'm reporting even does anything.
I'm usually first in line to hate on Google, but I report a lot of phishing to them and, at least when it comes to phishing sites being hosted by Google, they tend to take them down pretty quickly. I never get a response, and I assume that it's all automated, but it's a lot better than many other hosts. If you report a malicious website to namecheap it can remain online for months and, bad as they are, they aren't even the worst out there in terms of poor abuse handling. Google could do better, but they're really pretty good.
That said, this is just another example of why we should all be blocking ads. It keeps us all safer.
Advertising intermediaries should be held partly liable for fraudulent adverts, or advertising should be aggressively de-anonymised, or maybe both. I'm not a fan of German-style "impressum" requirements for general publishing, but advertising is different in the way it aggressively inserts itself onto other sites in ways which (crucially) the user has no control over. Other than blocking all ads.
It ought to be possible to click on the corner of an ad and get the company number and business address of those responsible for it. "Overseas" adverts originating in different countries should be even more heavily checked, because if they're fraudulent then recourse is much harder even if they're not anonymous.
>A closer link at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info —at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near perfect storm of deception.
“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes,
The relevant sections of the Chrome IDN rules [1] seem to be detection of "mixed script confusables" and "whole script confusables".
The character ķ (U+0137) is part of the Latin script [2], so I presume the string "ķeepass.info" won't trigger the mixed-script confusable test.
I don't see ķ listed in the "whole script confusable" glyphs [3]. Should ķ be included there? There's a comment in the Greek section of that file to the effect that "variants such as ά, έ, ή, ί" are ignored, so perhaps there is a general rule that accented characters are not considered to be confusables? If so, that makes some sense to me; French users would presumably be a bit disappointed if a domain name containing an é were rendered in the Punycode form, for instance.
The first "punycode attacks" were using letters that were completely indistinguishable from the "real" ones (e.g. by using Cyrillic letters). I guess the assumption is that the user would be able to identify any letters with diacritics (even if they're indistinguishable from specks of dust on your screen) and avoid them - after all, you wouldn't go to "göogle.com" either?
As a german I wouldn't go to göogle.com. If my native language didn't include ö? Then that might be a speck of dust to me as well.
A safer approach would be to only ever show a user the characters they expect to see (and are familiar with), e.g. based on their language setting. Assuming that every language has a finite list of characters used in its written form such a whitelist approach should be possible and much better than playing whack-a-mole with a blacklist for "potentially confusable" characters.
Take for example, both 糉 and 糭 are valid characters in Chinese. One is a variant of the other. Which one is "canonical" depends on who (i.e. which authority, of which there are many) you ask. And FWIW the language and regional settings don't necessarily give an answer to the canonical representation.
Those characters mean the same thing with or without the specks of dust.
So, what's your solution here?
To be fair, Unicode domains are inherently a huge mess. The thing is that we don't need more armchair experts dreaming up Euro-centric solutions.
What you mention here does not contradict my assumption that there is a finite set of valid characters in every language, unless there is a rule in chinese that lets you assemble an infinite set of meaningful characters/symbols (unicode could still represent only a finite subset of those, though).
Either one or both of the characters you mention are probably part of the script of the users language setting in chinese; if the character is then it should be rendered as unicode and if not as punycode. If the users language has this kind of ambiguity then they are the only ones to judge if the domain name is correct or not, but at least they are familiar with the language and do not see characters they might have never encountered before and/or need to deal with an ambiguity that they shouldn't even have to expect to begin with.
The idea I proposed would still protect someone with a chinese language setting from being tricked by e.g. a cyrillic character in an otherwise ASCII domain name. I don't see how that is euro-centric (apart from ASCII being inherently english-centric), it is an overall improvement over the status quo no matter where you live and what language you speak.
It still sounds like an improvement: while they might still fall for malicious URLs in their own language, they would not for other scripts.
But as someone said, tiny, valid differences are easy to miss anyway, and original URL attacks were replacing similar-looking ASCII graphemes (eg. l for 1), so this will all continue.
> while they might still fall for malicious URLs in their own language, they would not for other scripts.
That's totally backwards. If the assumption is that users of language X will legitimately visit sites of language Y with sufficient frequency, then all that language-specific filtering makes no sense.
Why wouldn't it make sense? If a chinese user e.g. specifies that they speak chinese and, say, french, all characters in those two language would show up as unicode and everything else as punycode. A malicious domain using e.g. cyrillic characters to create a domain that looks just like another french (or just plain-ASCII) one would show up as punycode. Sounds like a net improvement over what we have now.
If a browser implements single language decode-punycode, they could also support user specifying multiple languages (like they do for Accept-Language).
And seeing punycode in URL bar does not mean a site does not work, it's only a suboptimal experience.
I don't think it's that easy. Most people A) use english as their system language, because troubleshooting menus / error messages in foreign languages is a nightmare, and B) my mom would not notice the difference between google and göogle.
Modern typography in Firefox and Edge (I can't speak to Chrome as I don't have it installed) has actually done a great job of skipping underlines across descenders of all sorts (as proper underlining is supposed to do).
While Google is waging war against adblockers on YouTube they are once again showing they absolutely cannot be trusted with the responsibility of showing safe ads.
That, and them showing war videos in ads to little kids.
Im constantly reporting ads that are inappropriate, scams, or flat out illegal, usually they are back within a week or two, if they even get removed at all.
My favorites are the dumb-brick phone charger that "magic defrags your phone", and the micro-ghost pistol.
I noticed some fake reviews for a business on Google Maps recently. They were giving high ratings praising the service they received yesterday etc. I knew these were fake because the business has been closed for renovations for months. I tried to report them but Google only allows specific options, like “offensive language.” I tried their “spam” or “unrelated to this business” option, but they went nowhere. Not surprising since there’s no ability to write in additional information in your report.
It seems Google doesn’t want to receive feedback if it affects their bottom line.
I see so many binary options scam ads on YouTube, often with a very poorly deepfaked Elon Musk as a spokesman. Google never takes them down.
Maybe I should start reporting them to the securities regulator in my province instead - binary options were banned in Canada a few years ago as they are a haven for scammers and con artists. That might get better results.
My seven year old kept being advertised shaving equipment, including razors. Obviously they know dad has a massive beard. Jokes aside though, I'd rather nobody be piqueing his interest in blades so I've adblocked the entire house.
There is. Goes with a plastic razor that won't cut anything. I've seen it before, it might or might not still be in the toy section of your local WalMart.
> Someone saving themselves [a trivial amount of] effort and causing a flurry of unneccesary replies.
I don't get the impression that their point is much changed by it being 3 keys instead of... 11 by my count (10 if you don't count shift for the capital O).
"the company has said it promptly removes fraudulent ads as soon as possible after they’re reported"
If they wanted to be part of the solution they'd vet the ads before they're made public. But that doesn't scale, and so people get scammed and society suffers and Google makes more money than it knows what to do with. Pretty fair trade...?
As others have said in one way or another, blocking internet advertising is part of healthy and safe internet usage.
I guess it's a fine line. If Google starts pre screening ads and then bans somewhat legit ads - which may or may not look as legit - then we will see reports about them. Moderation is a tough problem to solve. We want convenience with the right stuff, and strong blocks with even slightly shady stuff. They are bound to miss a thing or two. Question here is that is this an edge case or a prominent one (as in do they have a lot of ads approved like these) with Google ads, which the article fails to answer.
I think you're giving them an unnecessary pass, the incentives are completely in their favor: don't screen ads, make money off ads that are frauds, scams, age-inappropriate, etc... wait for "someone" to report those ads as such; meanwhile, keep making money off them, and the scammers/frauds/etc keep making marks.
The human-friendly way would be to screen ads before airing them, which means hiring teams to do the screening; have an appropriate legal language in the ad screening section saying that ads may be rejected for "Reasons" which will be explained in the rejection note, and the rejection can be appealed upon which another person will deal with the rejection review process.
It's not a difficult problem, but it gets in the way of making money hand over fist.
I think I probably am giving them an unnecessary pass. There is another case in the below links about FB ads where Facebook banned an advertiser's account because of usage of words "panda" and "python".
While that case is unrelated, if someone prescreens the ads without having the required context, (let's be real here, it would be reviewed by someone in Philippines or India, not USA) they are likely to block stuff they do not understand but told to err on the side of the caution - which is what you presumably want to avoid the cases as in this title.
> the rejection can be appealed upon which another person will deal with the rejection review process
It still requires someone to have context about what you are running an advert on. Still hard to find, still not as reliable, and would either end up blocking many legit ads, or passing some objectionable ads. It does not just hurt their bottomline, but the bottomline of every good faith advertiser on the network.
I agree that just reporting post seeing the ad is a poor feedback mechanism. Maybe some sort of AI. They do verify advertisers though as they say. Maybe that should be more stringent.
I don't see a problem with banning legitimate ads.
Please keep in mind that ads are messages that visitors never subscribed for. The only party that loses here is the advertiser, and I couldn't care less. In fact, the problem with advertising is that the customers are the advertisers, ads networks being biased to act in their favor, visitors being just the resources being sold.
Seeing as I have to jump through hoops with know-your-customer laws, it would be nice if companies had to do that also in all these instances that make life difficult.
* misleading ads
* spam phone callers
* counterfeit products on Amazon and the like
* email
Everything seems to be built to make me 100% reachable by any crook out there, yet I can't reach these companies enabling this through any means at all.
That's a neat trick. I can imagine getting caught by this if I saw the link in non-ad context. The attackers made a smart choice here. Usual Unicode substitutions are something I've learned to spot, because the substituted letters look off, even if a tiny bit. But here? I didn't notice the dot under "k" even with an arrow pointing at it, because to me, it looked like a tiny speck of dust or dirt on the monitor. $deity knows I have many of those on my screen, and they're the kind of noise visual system is good at ignoring.
I would have fallen like you. But because I use dark mode / a dark theme, this is displayed as a white dot on a black background and does not look like dust on my screen. I clearly see it. It is a white light-emitting pixel, not mistaken with a light-blocking speck of dust similar to a black pixel.
I had never imagined dark mode as a security enhancement :)
Punycode is of questionable use anyway. Granted I'm mostly looking into this from a primary latin alphabet perspective, but for the various non-latin alphabet sites I've browsed over the past decade all of them just stuck to regular ASCII domains. (Heck you see this even with usernames on websites that allowed Unicode to be used; most non-latin alphabet users will still stick to the Latin alphabet for usernames.)
The only place punycode really gets used are spam domains in practice. Even most Cyrillic and Asian domains don't use punycode.
I get the concept of punycode and it is impressive technically but for domains it's just been a massive phishing headache.
I fully support national languages, ASCII is not suitable for a huge part of mankind. But it's obvious that Unicode as it is is not suitable for security critical applications. Myself, speaking several European languages, I need less than 10 Unicode characters (each of them actually still 8 bit ISO 8859-15 codes). Well, need and need, most of the sites don't even register a punycode domain, but some uglified ASCII version of their name.
As a practical step browsers should ask the user whether they want to allow URLs in a certain language the first time a non-ASCII character is entered. With just one or a couple of languages allowed, the attack surface would be drastically reduced for most users.
Agreed on ASCII not being suitable for a huge chunk of mankind for messaging. That said, in lieu of a better defined set of characters, it is a reliable set of characters that largely don't overlap when it comes to homograph attacks on human readable identifiers.
The only single character ones in ASCII with noticable issues are 0/O and I/l/1 (this is also why on latin alphabet gift cards, you'll often see these characters omitted entirely). The other homograph attacks on ASCII are mostly font kerning dependent (and even the two I mentioned can still be made distinct from each other in fonts).
I'm not dunking on Unicode here to be clear, Unicode is awesome. That said, bolting Unicode into unique identifiers humans are meant to read is a bad idea because of the homographs. Again; just look at how non-latin alphabet countries generally (don't) work with Unicode in things like usernames.
> As a practical step browsers should ask the user whether they want to allow URLs in a certain language the first time a non-ASCII character is entered.
This would probably help on top of the usual algorithmic blocklists that Firefox and Chrome already use (which largely rely on trying to match what sets of Unicode are used in a domain name to pick between Unicode and punycode rendering).
> As a practical step browsers should ask the user whether...
No, humans are far too well-trained in "just say yes and forget it". The browser should loudly flag any non-ASCII name (maybe there's a buried-deep option somewhere, to less-loudly flag it), or else it should do a bit of OCR and pop up a "DANGER - Look-Alike Domain Name..." warning.
This case is a clear case of "letter k with a cedilla below": this is encoded in Unicode as a composed character that can be decomposed.
No OCR needed.
For all of these accented cases where no mixing of scripts occurs, browsers could simply decompose to Unicode Canonical (Decomposed) Normal Form, and flag any accented letters (eg. render them in red in the URL bar).
One of the issue with ascii domains is the phonetic mapping for CJK languages.
For instance right not asahi.com is taken by 朝日 (Asahi shibun, the newspaper), thus the Asahi town (旭) cannot use it. Mind you, the town could take asahi-town.co.jp or something like that, but there is other Asahi towns and places with different writings (including 旭日, 朝陽、浅緋 etc.)
Wanting all of them to have some random ascii diversification is madness, and we're only talking about Japanese places, when the Chinese character space overlaps. (The question of whether these domains are actually registered is I think a chicken and egg problem, and I have a hard time imagining the above conflict space will get a nice resolution inside the ascii alphabet)
Western ascii domains being ripe for scam is an issue, throwing the baby with the bath water would still be problematic.
That seems to be mostly accidental and unrelated to ASCII: there are multiple towns named "London" and by the way that DNS works, only one of them can be "london.com" or "london.info" or...
While I can see an argument for expecting to find whatever brand you think most relevant at BRAND.com(mercial), first-come-first-served is as fair as we can realistically get to (with some protections against misrepresentations and squatting).
Note that I am not against IDNs: I just think your argument is flawed in their support.
Again, Unicode is what allows all languages to be written out, and the fact similar-looking-URL issue is more present (it's present with ASCII too) is not a slight against Unicode and IDNs: we just need to solve for it.
There isn't as much ambiguity in the cjk writing though.
It would be similar to mail.com, mel.com, meil.com, mehl.com, melle.com and all other variations that sound roughly the same getting all mapped to meɪl.com
We could live in a world where all words are written phonetically, but we don't. Expanding that courtesy to non alphabetical languages would be a pragmatic and sane approach.
I live in a non-english speaking country, technically we do have non-ascii domains, but they're very rare, absolute majority of websites use latin letters.
Though I think there's nothing wrong with punycode with dedicated first-level domains. like кремль.рф (does not exist, but I'm too lazy to find one).
Lots of people might want to register their name, or the name of their city, etc. These all sound like valid use cases. You could say that anything beyond ascii is of questionable use, but non-English natives will always digress.
I know these usecases. In practice, people will still just romanize their name or the name of their city to the Latin alphabet anyway.
The reality is that Unicode is great for communication in say, text messages but terrible for identifiers. People in non-latin countries know this; there's a reason that there's only six countries (from what I can tell) that went with punycode TLDs while there are many more countries with unique alphabets and most of those punycode TLDs see very limited use to begin with. (The most popular being the one used by the Russian Federation, which is also the only entity to forbid using non-cyrillic characters in it's domain names).
Humans survived with [0-9] as the main identifier for their phone line for 100 years. ASCII is actually a great improvement in that regards. Unicode just introduces too much ambiguity to be used in security critical context as in a hostname.
One solution to mitigate malverising is as transparency. Each as should contain the legal contact details (company name, country) of the advertiser. It does not solve the issue fully, but consumers will surely avoid East European suspicious companies advertising. It will also make it easier for the security researchers to track down bad actors and will bring some liability to the ad platform (Google).
Facebook already does this for political ads, so it is doable.
This is why punitive damages were invented: companies who didn't want to do the right thing because of money would be made to pay even more than if they had done the right thing in the first place.
If you tried to run a fake, malware-laden website in a Western country you would eventually be shut down and prosecuted.
These scams mostly fester in nations with weaker institutions, not just Eastern Europe but also China and India. Their authorities are simply not interested in preventing this kind of unlawful activity.
Can you somehow quantify it or is it your gut feeling? Any articles out there?
I don't know if they catch small fish as in this example, it just isn't in the news. The bigger fish happens to be in the news, like shutting down international scam call center - 2 in LV, 1 in LT. Video from police cam if anyone wants to see smashing windows: https://www.vp.gov.lv/lv/jaunums/verieniga-starptautiska-ope...
We are also being educated in many places including schools, government institutions, posters, jobs etc about the risks, about how scammers work and stuff like that.
> In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim.
Some countries had notable levels of crime because they had the combination of smart techies with limited earning potential in their home country and governments which were either ineffectual or corrupt enough that they could make a substantial criminal income without going to jail. Similarly, the reason Nigeria was best know for phishing for years wasn’t that the people were unusually criminally-inclined but that many of their talented young people had the choice between being honest and poor or wildly rich, and unsurprising some fraction chased the easy money. Anywhere you don’t have great economic prospects for a lot of people will have this problem.
Or you simply can have a database of all websites' SSL certificates[0] and compare it to the website you are accessing or in this case, compare it to the website that buys ad placement.
Interesting, chrome indeed shows it in the url bar as ķeepass[.]info, but with FF I get xn--eepass-vbb[.]info, is this something I changed or a different default?
edit: As someone mentioned further down, it’s an about:config setting for network.IDN_show_punycode
The TLD registries are supposed to each have defined rules for IDN which can prohibit abuses and to police the use of your service. If you operate the registry for say, Switzerland, it makes sense to allow what Swiss and maybe German people would want, then forbid everything else.
But if you operate .COM or .INFO or .FREE-MONEY or whatever, your goal isn't to help anybody it's to obtain the most money possible without anybody senior going to jail. Crooks want to pay you money to help them target victims? Yes please.
So in practice the browser vendors have to cook up heuristics to try to guess whether the IDN is a trick and in this case I'd guess Chrome's heuristic didn't consider this a problem whereas Mozilla's did. I believe Mozilla were so exasperated by the IDN abuses at these registries they may have just switched off IDN rendering for the entire registries affected which is thorough.
Disappointingly .info is whitelisted, if it wasn't (like .com) then Firefox would use Punycode here instead. Perhaps Mozilla should re-consider the decision for info, or, perhaps they have and they decided that .info is doing enough (though clearly not in this case) to say that on balance it's acceptable.
Those questionable websites often do redirection to a legit site like Google unless certain condition is met. For example, it could detect and only lead the user to the fake site if the user is coming from the ad. It's a common technique for them to avoid getting caught.
Browsers should display punycode by default in the address bar. 99.9% of these websites are scams. If you live in a place that commonly uses non-ASCII characters in the URL then you should be able to manually toggle it on.
That or whitelist specific characters based on the users locale. E.g. on a system set to german I could expect umlauts and ß to be rendered properly, but anything else should just show the punycode. Basically any legitimate use case should be covered by that.
Another reason to use ublock origin / Brave shields. Thanks for another article to send the adblocker complainers. THIS shit is what is killing the net, not adblock users.
Yeah. I was briefly an adblock complainer, but I have swung so far to the other side I can't even see my old high horse, and not just because of ad served malware.
Ads have broken an unwritten contract with the general public. They by this unwritten contract must be for legitimate products not scams. They must be things that I do not find offensive. This is an unwritten contract because there are other evil things that I have not thought of that they must not do.
The root cause is alphabets/fonts with lookalike characters being permitted in security-critical contexts. Tracing further, it's the mindset that this is a valuable feature, and not a reckless risk, that is to blame. Browser designers should have been feverishly working to further disambiguate Il1O0, not add more risk by allowing a multitude of whole new alphabets!
> When you're at a point where you're relying on a display name to make security-critical decisions, you've already lost.
This obscures how dramatically worse the situation is if you can't even trust display names. Does the ubuntu.com link on wikipedia lead to an ubuntu.com, or something entirely unrelated? Does a script you're reviewing actually pull images from debian.org, or somewhere else?
At some point you have no choice but to trust what they pixels on your screen are telling you.
But we need these alphabets to allow people of various culture to be able to have url in their native language, and I'm not sure how browser could help disambiguate all the possible Unicode symbol, afaik while there are some font to make each symbol as distinct as possible (I think they are used in licence plate), none of them support all of Unicode.
Also, while I can agree that url are "security-critical", the same applies to email or even just names, and we definitely need Unicode for those.
> But we need these alphabets to allow people of various culture to be able to have url in their native language
Those of them who want to accept the security risk that comes with that should have the option to turn it on, but it shouldn't be on by default for the rest of us.
sure, it can be done, but is not a solution to the problem as it will still leave a lot of people vulnerable. We, probably, need to rethink how we handle identity on the web but is a hard problem to solve
They can install a browser plugin to convert punycode to their alphabet if they care so much for using it in URLs. There is no need to inflict this on peoples with safe alphabets. Alternately, highlight non-safe-ASCII-subset characters in a different color, as VS Code does.
Crazily enough, the domain shown under the ad on google ads isn't automatically pulled. You can set it manually.
Attackers exploit this by first using a genuine domain to get the ad approved, and then altering the info after the campaign starts. I saw a similar attack like this on twitter a month or so ago.
See: https://keepass.info/integrity.html (you may want to manually type it into the address bar...) and download their PGP keys. That way you can verify KeePass downloads using their signatures, which you can save and sign with your own key to really verify the paranoid way. If you ever land on a bad download site, you'll know something's up after you verify and it doesn't match.
Also, on Windows, both the installer and the main executable are digitally signed with a valid code signing cert: 'Open Source Developer, Dominik Reichl'
I fell victim to a ridiculously stupid and expensive punycode ad scam on Facebook a number of years ago, advertising new antminers. Absolutely idiotic, and infuriating, but the biggest mistake was assuming the likes of Facebook or Google actually reviewed and approved ads and protected its users from this sort of garbage, in addition to simply not noticing the tiniest dot in the address bar.
While there's no foolproof way to detect scams like these, there are some proactive steps we can take:
1. Always type in URLs manually when downloading critical software to bypass the potential risks from ads.
2. Make use of browser plugins that identify malicious websites or unverified SSL/TLS certificates.
3. Before making any downloads, inspect the TLS certificate of the website by clicking on the padlock icon next to the URL bar. Look for inconsistencies like a different company name or issue date.
Yet another day I'm glad I've protected my family with network-wide ad blocking through pihole. Slowly they've learned that clicking on the top links ("sponsored") don't work so now they're trained to look for the first organic search result whenever using Google.
In Firefox about:config switching network.IDN_show_punycode to true could HELP spotting these kind of scams. But I believe that, in the end, once it's showing in Google results, it's game over.
Ads in search result are looking close enough to regular search result for people to just trust it and click.
It's must be serendipitous that the article just above this in my feed is about an AI banning someone for life from advertising on Meta because the AI thought they were trafficking animals for advertising python courses.
And my guess is, absolutely nothing will be done, accountability wise, in either case.
Google once hosted isis website, it was in English, French and Arabic, reporting it was cumbersome and could not take screenshots of it before I helped removing it. I used builtwith to detect the host, found it was a google smb solution at the time.
That would make Google responsible for the work of police - you're saying that Google should be actively trying to identify "criminals" (by whatever definitnion of whatever state in US or even their legal departmeny - quotes deliberate) and prevent them from being able to do business in modern web world.
Effectively you want Google to be the law enforcement corporation and not your government thus massively expanding their power and reach.
Why would you want that? (And that also goes for people who want Apple to replace their government at law enforcement).
If someone were to stand outside holding a big banner advertising something malicious/illegal they'll be in legal trouble pretty quickly, which I think is fair.
Why shouldn't Google be held to the same standard?
"If someone were to stand outside holding a big banner advertising something malicious/illegal they'll be in legal trouble pretty quickly, which I think is fair."
For the most part, you would not.
While it is not protected by the first amendment in the US to advertise illegal products, it is also not particularly restricted in most of the US.
To whit: If you hold up a big banner saying "fentanyl sale - 30 cents per gram", you would not have committed a crime or an actionable legal tort in most places.
The thing that is actionable everywhere is deceptive/fraudulent/misleading advertising.
The problem is you have to prove intent to build a legal case. If the person holding a banner doesn't know whatever they're advertising is illegal then they wouldn't be liable. A case could be made if they're informed it's illegal and they continue anyways, but that isn't likely to happen.
If a billboard starts advertising meth, you obviously go after the meth dealer. But the billboard owner—who painted the ad onto it—should also have liability (albeit civil).
The malicious website is published on google dot com. It's not unreasonable to require that a website doesn't publish obvious scams. Of course, "obvious" is hard to define precisely.
> That would make Google responsible for the work of police - you're saying that Google should be actively trying to identify "criminals" (by whatever definitnion of whatever state in US or even their legal departmeny - quotes deliberate) and prevent them from being able to do business in modern web world.
Google is a company that nets 60 billion $ a year in profits. They can afford hiring a few thousand people to manually vet ads before they go out, and they should.
What do you think the number of different ads being displayed is, given how much each ad costs?
Estimates suggest it's about 30 billion ad impressions per day to earn that.
If each distinct ad gets 1000 impressions, that's 10 billion ads to review per year.
Let's be super generous, and assume it's 10k impressions, leaving us with 1 billion ads to review.
Let's further assume it's 1 minute per ad to review them, because people are super good at it. This will take 694440 person/days to review.
So to even give a 24 hour turnaround time, they'd have to hire 694,000 people.
If they pay them 65k each (yearly minimum wage in california), that's 45 billion a year.
This again, assumes we have ads with lots of impressions, it's only a minute per ad, and that we are okay with 24 hour turnaround time. Otherwise, it costs more.
It's really easy for people to play the "company makes x, they can afford y" game, but without real data it's sort of magical thinking.
I doubt humans could easily keep up with the review load here, at scale, at any reasonable cost/living wage.
Sure.
I"m pointing out this simple sort of "they can easily afford to do x" is usually nonsense.
I haven't commented at all on what the result should be (not allowed to do it or whatever), simply that the math that it would be simple to fix is wrong.
If we are going to argue about things in a useful way, we should avoid random assertions without data that don't really advance the argument, especially when they are trivially wrong?
Ah, i see we've moved onto ad-hominen attacks and dismissal rather than engaging for real.
That certainly may feel good, but it changes nothing about the argument?
This sort of dismissal based on who you work for is both childish, and unproductive to a real discussion. Similar to the "most fanboyish thing ever" comment, which, honestly, if telling someone their totally unsourced math and claim is wrong, by providing data and real math, is the most fanboyish thing you've ever seen, then i think you are very lucky in what you see ;)
Beyond that, i'll repeat what I said - i simply pointed out the assertion and math is wrong. That is all. You are the one claiming i am defending anything, beyond that, at all. I was very careful about not defending anything, and in fact said i'm open to all sorts of views about what to do about it.
Maybe you should re-read what i wrote, and point out any point where i did anything but show that the claim made was wrong, and the math was wrong?
Your math is wrong because you say that Google spends 0 dollars at the moment to fight scam ads.
If it is true, then Google execs should be in jail right now.
And proves point again that Google does not care about filtering content and it is profitable to accept money from criminals.
Ofcourse if your paycheck depends of criminals money then it is very dumb to share that profit to hire more people to fight malware content.
In my country there are many Google scam ads which feature local celebrities/doctors, but it is impossible to remove those ads, because Google never removes them. Zero response from Google. Even Police cannot help because nobody from Google responses.
So I guess it is intentional to spread those spam ads.
Even if users report those ads, Google 99% of time never takes an action to remove spam ads.
With few thousand people you can remove those reported ads...
So what? If Google is only profitable because the vast externalized costs to it are borne by society at large (e.g. malvertising, scams, unsafe "medical" products and supplements, competitors placing ads in an unfair way [1]), then maybe prices for advertising have to rise to match the prevention cost, or Google has to figure out other ways of staying profitable. I don't care all that much.
And if it leads to less, but higher quality ads in the end, even better.
The so what is that the comment is completely and totally wrong in it's estimation of how simple or not it would be.
That is all.
We should decide what to do about it based on correct data and sane assumptions, not random assertions that are off by orders of magnitude and backed by no data.
Google is effectively a giant mall, and mall owners sure as heck police their stores by actively trying to identify criminal storefronts.
Google doesn't have to do this because they are anticompetitive.
The root problem here is that Google shouldn't be in this position where we are talking about them acting as law enforcement, and a business getting banned by Google is akin to getting ejected from society.
This has been a problem with googles ad network for over a decade now, apparently they don't think it's profitable enough to make sure this never happens again.
What can I as a user even do to protect myself from this? Like what is the best practice for finding the official website of some organization in a high stakes situation?
> 2) In advertisements, Google shouldn't allow the advertiser to modify the domain that is displayed. Really, why do they even do this?
Because advertisers usually want to send links to a tracker site of their own first so that they can verify if their numbers match up with what Google reports.
No one trusts anyone in the advertising space, and for good reasons. Advertising has always been a space filled to the brim with crooks and fraudsters.
>Advertising has always been a space filled to the brim with crooks and fraudsters.
If I ever work at a cubicle, I will hang this sentence on a large frame over my desk, then stay silent and stare every time someone comes and complains about my ad blockers.
For one thing, Google search ads should not show users a domain different from the domain Google redirects directly to. If a website wants to track clicks, the URL they ask Google to send users to should not live on a different domain than the domain the user sees before clicking. Anything else invites impersonation like this, and makes Google complicit in undetectable phishing.
Yeah, it's really bad that Google don't actually show the proper characters in the URL. It's hard to spot - but at least if they displayed the actual URL then you'd have a chance.
OF COURSE they were verified by Google. Google verifies identity by accepting money. Give them money, and you're verified.
"Google representatives didn’t immediately respond to an email" Are there real humans at Google who actually answer email? I haven't seen a response from Google in more than a decade. It makes me wonder if all the phishing and spam I'm reporting even does anything.
Honestly, it's time for the world to move on from Google. They haven't been safe to use as a search engine for more than two years.
After clients had been sent to phishing sites by Google's ads, I decided to block these domains on all the networks I administer: