Has my Adsense Code been Pirated?

29 Dec 06 5:15 am

Sean06 - to describe it another way:

Two PCs in one location - Same website displaying on both.

Google ads appear on one and in the same places on each web page, on the other PC, are different ads sponsored by iTotalFind.

Google responded to my mesage (under 12 hours for a reply - brilliant!)
Google suggested that it was a Malware infection and we went hunting.

We have discovered that there is a Malware out there that shows up with CWShredder.exe that finds Google Adsense and Yahoo ads and substitutes them with their own ads - your site hosts ads you don't get any payment for, while iTotalFind charge the advertisers on a CPC basis.

It shows up in your registry as an HKEY entry with the text "\Itrust\url changer\" and clones itself as fast as you can erase it (1036 new malware entries were formed in thge next boot up).

We have cleaned up the registry and it has halted the cloning on the infected PC but it has also disabled the Google ads from appearing on the site too.

Will post as more happens

29 Dec 06 3:17 pm

Wow, talk about a scam of all scams. Man, I get tired of all the BS out there sometimes. Davin

29 Dec 06 11:05 pm

YesI know -
I am the local PC Doctor in our area - just to give you some idea:

I started in PCs before Windows, before floppies, before type fonts, colour monitors (actually we had a choice - grey(TV) or green (Monitor). Programs were stored on audio cassette (30 or 60 mins - longer cassettes stretched and you lost your data). A hard disk was the size of a bar fridge and if you walked past the magnetic field slowed you watch down. I built my first PC at Uni then bought a Dick Smith Red Label in 1984, learned NewDos from a lever arch binder that cost $120 to photocopy. I have kept up with the play ever since and have contributed to some of the software you use without realising it today - like Firefox, Windows fonts, Registry editors, Spreadsheet linking, viral pattern files etc etc through the open source and Linux network.

The point is - I know enough to be scared of what I don't know.

With all that - this little malware bastard has me worried. It has also rang alarm bells at Google, who had heard rumours but were grateful of our screenshots as proof. Our logs have also been posted on 4 security sites (you found one of them). Now we wait.

This all began when I was designing a website for someone else who was looking at Google Adsense to monetize it and I said "Have a look at my site."

Yep - I've had better days! :(

30 Dec 06 12:42 am

Sucks to hear about that, but at least you were the first person to alert google. Thats gotta be worth something :P

Hope it sorts itself out.

30 Dec 06 4:47 am

Adrian -
As I previously stated - the ads are from iTotalFind - they say so.
and Google have replied to me, in an email, that they have not authorised iTotalFind to use their code.

I discussed with Google what we found, did and suspected (malware resided on the computer and redirected Google Adsense code for iTotalFind) here's their reply :

Note I have included their ticket number and all ID's as well, as proof this is genuine:

------------------------------------------------------------------------------------

Hello David,

Thank you for your response. I'm glad to hear that you've come to the same
conclusion, and please know that the additional information you've
provided us is very helpful.

Sincerely,

Diane
The Google AdSense Team

Original Message Follows:
------------------------
From: "David Hilton-Bright" <[email protected]>
Subject: Re: [#96461690] Possible Adsense code piracy Violation by
iTotalFind
Date: Fri, 29 Dec 2006 12:55:38 +1100
----------------------------------------------------------------------------------

So for the record -

We are not the only PC to find this - other security forum discussions exist with people asking how to remove this. (Try Google = iTotalFind)

Your Google Adsense (and Yahoo equivalent) ads do not appear on your website or pages when viewed on an infected computer.

You get infected through an email - most likely to do with making money on line - so carefull read the EULA's before you accept - for some reference to adding some code or cookie or code changer to you computer.

The ads are replaced by iTotalFind ads - here's part of the screendump:


You don't get paid for the use of your site space.
You don't get paid for any clicks
You don't get paid for 1000 impressions either.

While iTotalFind charge advertisers for placement and clicks and cost per 100 impressions.

All I can say is rest assured Goodle is onto it and is pi##ed off. While we see a small income upset, they are looking at millions of lost revenue and won't take this lying down.

30 Dec 06 6:47 pm

Administrative Contact: ItotalFind

152 W. Wisconsin Av, Suite 709
Milwaukee, Wisconsin 53203
United States
(414)271-9530



Adrian,

31 Dec 06 1:29 pm

My partner (with the iTotalFind infected computer) wants to add Adsense to her site.

Of course she can't do it on her (infected) computer because she won't see the ads. Could she add them to her site, using my computer and her adsense account details?

The IP address will be different - will that matter to Google, as long as the account details are hers?

On the iTotalFind front - we have searched the internet - no-one knows how to remove it. We have found records of infections dating back to Feb 2005. I suspect we'll have to reformat the drives and re-install everything.

The ironic thing is that we share and swap files between the computers all the time and mine isn't infected. Probably the fact I always surf the net using SuSE (Linux) with Firefox rather than Windows (because it's smoother and faster), saved me being infected too.

09 Jan 07 1:23 am

It doesn't matter which computer you use to add the Adsense to a website, so long as the account details are hers. The malware doesn't affect the script on the server level, it just hijacks it on the display computer, so there's no problem modifying the HTML (adding the Adsense script) on the infected machine. The problem is that she won't be able to see the ads -- as you've already figured.

What a drama! I'll be interested to see what Google does about this.

Regards,
Mark

10 Jan 07 9:50 pm

Right you are. It seems like this is more damaging because it's frustrating and draining your energy, rather than actually affecting your business. It's the same problem with a lot of things. You can try to do something about it to get it sorted quickly, but if you can't get it sorted quickly, try to put it aside and move on.

All the best,
Mark