Until further notice, think twice before using Google to download software
- Thread starter JournalBot
- Start date
I've never heard the term "malvertising" until today. I think I figured out what it is from the article's context, but with the amount of jargon and new attack vectors it's hard to keep up with all of the different types of scams these days.
Malvertising: When you buy ads for your malware site in a way where you're trying to trick people by thinking they are downloading a different popular product.
Malvertising: When you buy ads for your malware site in a way where you're trying to trick people by thinking they are downloading a different popular product.
Upvote
124
(128
/
-4)
Is it just me, or has Google search gotten much worse over the last year or two? No matter my opinion on Google in general, it used to at least give constantly good search results. Now I feel like I’m wading through pages and pages of SEO bait, while also avoiding the prominently placed ad results.
Enshitification indeed.
Enshitification indeed.
Upvote
426
(428
/
-2)
Thanks, Dan. Timely, well-researched articles like this (especially on security and privacy) are the reason I subscribe to Ars.
Upvote
92
(101
/
-9)
Upvote
305
(305
/
0)
Yet another way that an adblocker would help protect end users. In this case, it probably helps the bad guys to target the less savvy surfers and ups their "conversion rate"
Upvote
167
(169
/
-2)
And the amount of obvious spam getting through their filter in the last week or two is nuts.
Upvote
96
(97
/
-1)
It’s not just you.
I switched to DuckDuckGo a couple of years ago for the privacy and was pleasantly surprised to discover that the search results were actually better, too.
Edit: At the start, I did have to switch back to Google occasionally at need, but haven’t had to do that for some time. I couldn’t say how much of the difference comes from any degradation of Google though, vs improvements at Bing.
Last edited:
Upvote
148
(153
/
-5)
Yep, I scroll past the ads, even if they look like exactly what I was searching for.
Upvote
201
(202
/
-1)
I hate that I feel the need to check wikipedia and software review sites to confirm a url for a software or webservice is the actual site despite it occupying the majority of the top 5 returns when searching.
Upvote
129
(129
/
0)
Does it negatively impact Ad revenue? Google will fix it. Does the fix negatively impact Ad revenue? Google will not fix then.
Upvote
139
(141
/
-2)
Let's take it a step further. If Google ads are hosting malware and, based on an earlier article, nearly 100% of the online ad market is through Google, then basically no ad is safe anywhere on the internet. And websites wonder why a lot of people use ad blockers 100% of the time.
Upvote
190
(193
/
-3)
Browse with an ad-blocker. White-list sites you trust.
If your browser or platform won't let you do that, ditch it.
Even using Google Search, do you know what I see when I query "visual studio download?"
NOT FUCKING ADS.
If your browser or platform won't let you do that, ditch it.
Even using Google Search, do you know what I see when I query "visual studio download?"
NOT FUCKING ADS.
Upvote
121
(125
/
-4)
I often forget that other people actually click the promoted links. Pi-hole has trained my subconscious to simply move right past them, as if they didn't exist in the first place.
Upvote
82
(82
/
0)
I'm pretty sure it's been terrible for much longer than the last year or two.
Upvote
47
(50
/
-3)
I get the strong sense Google could do a far better job at keeping these from getting through their net, but... why turn away paying customers?
Example: make a list of "Tor, Thunderbird, Gimp..." heck, you don't already have a top hit list of "software people search for" being auto-generated every five minutes? Because you're Google? It's not exactly like trying to crack the universal pattern behind Beck's lyrics.
Then, hey, um... downloadstudio... generic words... has bought an ad for... [software people search for (visual studio)] and because you're Google you can see this site is [brand new, recently a different scam site, etc]
There is more... but, even small fragments of the above seem enough to... oh, c'mon, they could do better here but they'd rather bury their head in the sand and get paid for airing the ads. I could forgive them for fumbling in Hungarian, but in English? No, no... they'd just rather get paid
Example: make a list of "Tor, Thunderbird, Gimp..." heck, you don't already have a top hit list of "software people search for" being auto-generated every five minutes? Because you're Google? It's not exactly like trying to crack the universal pattern behind Beck's lyrics.
Then, hey, um... downloadstudio... generic words... has bought an ad for... [software people search for (visual studio)] and because you're Google you can see this site is [brand new, recently a different scam site, etc]
There is more... but, even small fragments of the above seem enough to... oh, c'mon, they could do better here but they'd rather bury their head in the sand and get paid for airing the ads. I could forgive them for fumbling in Hungarian, but in English? No, no... they'd just rather get paid
Upvote
116
(116
/
0)
Can we get some comparison to other less used search engines like duck duck go and bing (not endorsing ether!). I'd just be curious if the other search engines are faring any better or worse.
Upvote
70
(73
/
-3)
Downloading software has always been a game of Russian roulette. I shudder thinking about how I used to download software from alt.binaries newsgroups but that was back in the dial-up days.
Considering that you can still get malware from the curated and heavily scanned App Stores I would say we're all doomed.
Considering that you can still get malware from the curated and heavily scanned App Stores I would say we're all doomed.
Upvote
61
(62
/
-1)
People clicking on ads to download software... I always assumed that's an attack vector. What sane person doesn't scroll past the ads section in their search results?
Upvote
-7
(22
/
-29)
The web is borderline impossible to use these days without at least one ad blocker installed. I never let relatives surf the web without at least uBlock Origin or AdBlock.
Upvote
100
(100
/
0)
Cool. And then the botnet that that user's computer helps form impacts me by attacking businesses, servers, or governments that I support or need to have functional. So it's still worth caring. There's a lot of stupid users or users that think "ad" means Google has vetted it and thus is more trustworthy than the regular results.
Related: We were spot-checking our AdWords ads yesterday at work, and holy crap: on a 1080p monitor, every single search we did had about 1.5 screen-heights of HUGE text ads before you got to the actual content. They're growing.
Upvote
92
(93
/
-1)
In a completely unscientific test I ran a couple of searches in duckduckgo in a private Firefox tab with uBlock Origin turned off turned off.
In each case the top listing was marked as an ad and either had some completely nebulous link like shopping.net or a direct ad for the company I was searching the product for like Slack.
It should also be said there wasn't an ad every time, and only 1 when an ad did appear.
Upvote
37
(37
/
0)
Am I just being hopelessly naive to think that it would only take minimal human involvement to review requested new ads clearly targeted at people looking for software downloads?
I know there will be some genuine use cases of someone targeting 'Audacity' for an ad - selling other audio software or associated services. But are there really such a huge number of genuine ads targeting audacity and other similar software that human review is impossible, and it is only possible to rely on an algorithm?
In my idealistic head, I'd have imagined that for, say, the top 1000 software downloads, Google would have direct contact with the real provider. I started by thinking of a whitelist of the actual, real download links but realised I have no understanding of how downloads work behind the scenes and the extent to which scammers can spoof real(ish) download sources.
So why not take it back to basics - if a human reviews the ad, and it looks like it is just offering a download link for a popular bit of software, was it the known provider of that software that asked to place that ad? If not, chances are pretty high it's not legit. Yeah, I know this would take actual work to set up and maintain links with those providers responsible for the top X% of downloads, some of which may never have advertised with Google and have no intention of ever doing so. But compared to the cost of online fraud?
Legislators need to step up their game to force companies to take effective action where they are facilitating/directly enabling fraud and where minimal and entirely proportionate effort could prevent it.
I know there will be some genuine use cases of someone targeting 'Audacity' for an ad - selling other audio software or associated services. But are there really such a huge number of genuine ads targeting audacity and other similar software that human review is impossible, and it is only possible to rely on an algorithm?
In my idealistic head, I'd have imagined that for, say, the top 1000 software downloads, Google would have direct contact with the real provider. I started by thinking of a whitelist of the actual, real download links but realised I have no understanding of how downloads work behind the scenes and the extent to which scammers can spoof real(ish) download sources.
So why not take it back to basics - if a human reviews the ad, and it looks like it is just offering a download link for a popular bit of software, was it the known provider of that software that asked to place that ad? If not, chances are pretty high it's not legit. Yeah, I know this would take actual work to set up and maintain links with those providers responsible for the top X% of downloads, some of which may never have advertised with Google and have no intention of ever doing so. But compared to the cost of online fraud?
Legislators need to step up their game to force companies to take effective action where they are facilitating/directly enabling fraud and where minimal and entirely proportionate effort could prevent it.
Upvote
31
(36
/
-5)
I tried the same search this morning which seems to be fixed... The first 2 links direct to Microsoft, which is the intended result. All other results on page 1 are either walkthru's or links to links... I can't say that it's always the case with search for software but Google is doing a better job this morning??
Download Adobe worked fine too.
Heck, Download Corel or Quark, which is an abberation to do, also works! Maybe I'm alone? Can other other confirm this?
Download Adobe worked fine too.
Heck, Download Corel or Quark, which is an abberation to do, also works! Maybe I'm alone? Can other other confirm this?
Upvote
-6
(7
/
-13)
Upvote
46
(46
/
0)
moosemaimer
Ars Scholae Palatinae
At this point the only occasion I have to use Google search is when DDG image search isn't giving me what I want, and I need another pool of results.
Upvote
24
(24
/
0)
Upvote
112
(113
/
-1)
I’m not usually there to actually install, just to survey, so I click on the ads from time to time.
Even among “organic” results there’s a lot of crap though. There was the whole FileZilla debacle for instance; highly rated, everyone says use it, and oh one day the installer you can most easily find is suddenly full of crap bordering on malware.
Upvote
10
(10
/
0)
RickRoyLeonPrisZhoraRacha
Ars Praetorian
Simplest test: search for printer drivers for "n" manufacturer printer. Chances are higher that the top hits are some scammy "printerdrivers4u website" that payload.
Best practice is type the correct URL of the manufacturer as searching is still a whack-a-mole of SEO scammers.
Upvote
39
(39
/
0)
Nowadays, with easy ways to download programs through app stores and package managers, why are people still randomly googling programs to download them? Either go to the source to download the package (e.g. GitHub or the company page) or expect to have problems.
Obligatory XKCD 1742
Obligatory XKCD 1742
Upvote
-15
(18
/
-33)
Upvote
12
(16
/
-4)
PCWorld ran an article about malicious AMD driver sites and found that Bing had the same ad issue as Google. Not sure about frequency of one versus the other, but definitely don't trust ads for software downloads.
https://www.pcworld.com/article/147...n-drivers-reveal-a-deeper-google-problem.html
Upvote
27
(27
/
0)
