Two recent news stories have cast a shadow on Google's primary source of revenue: keyword advertisements. In one story, a researcher bought an advertisement that read "Is your PC virus-free? Get it infected here!" The Finnish computer expert bought the ad, it was placed without question by Google, and over 400 people clicked on the link over a six month period. The man responsible for the experiment told Reuters that there was never any virus involved, but that his research shows that advertisements can be used for malicious intent. Read the CNN.com article here.
The second story told of Google AdWords that had been "hijacked" by hackers attempting to spread viruses. The hijacked links would send a user to a malicious site, infect their computer, then redirect them back to the site they thought they were going to in the first place. Graham Cluley, a consultant at the security firm Sophos, explained the attack, saying:
"For many people Google is the internet, and just as in the past Microsoft's Internet Explorer and Outlook have been targeted, so too is Google becoming increasingly attractive for virus writers to try to exploit."
Read The Times Online article here.
The very real problem with all of this is whether Google should bear some responsibility for, in the first case accepting an ad without verifying that it wasn't malicious even though it claimed to be, and in the second case accepting ads that directed users to a site other than the one advertised. Google has already experienced the pain of potential legal action over AdWords when they asked the US District court to rule on what words and phrases could be sold as targeted advertisements.
Searching for Trouble? (ksat.com)
Google AdWords Needs Policing (Yahoo News)
Entrepreneurial hackers buy sponsored links on Google (Computerworld.com)
There is definitely a case to be made that Google should beef up their efforts at self-policing the ads that they sell. One way that they could do this is by being more aware of the people and organizations that they sell ads to. Google could also create a policy that requires them to test out all of the ad links to assure that they go to the appropriate Web site without first redirecting the user. Personally, I plan to warn all of my users of this new attack vector in an attempt to keep keystroke loggers and Trojan horses off of my network. What will you do in response to this new threat? Do you think Google should be policed or allowed to self-police? Join the discussion.