Friday March 28, 2008

"NRI Savings Account" spam ads on Google Adsense

This is a message for fellow bloggers and publishers who are using Google Adsense. Recently, I have seen some ads on my blog (see above for a sample) selling some "NRI Savings Account" with a purported link that goes to "www.abnamro.com/Bollywood". According to Wikipedia, NRI stands for "Non-Resident Indian".

At first I thought it was a bit of ad mis-targeting, which I dismissed as a simple glitch in Google's much-vaunted search and contextual-matching algorithms. But then when I saw these ads running for the fifth or sixth time, I knew something was up, so I went to do some investigating. Here's what I've found :

1. My initial thought was to copy the URL for analysis (must be careful there, since according to Google's TOS, a publisher is not allowed to click on his own ads). I got the following string : http://www.sirez.com/lms/44_ABNBW/clickcounter.asp [followed by some url-encoded characters and then followed by] http://216.198.222.137/ABNAMRO/BollywoodCd/savings_bollywood.asp.

2. You don't really need to be a former military computer security researcher (which, well, I was) to immediately grasp that there is something really fishy going on here. The first destination URL goes to some sort of "click counter" page which probably gathers some traffic statistics and then redirects to the second destination URL.

3. Dotted IP addresses (such as 216.198.222.137) with no hostnames ring some major alarm bells. This is one of the tell-tale signs of suspicious websites set up for spam or phishing purposes. I pasted it into my browser and here's what I got :

4. Would the real ABN Amro bank host a website at a dotted IP address with no hostname? I didn't think so. Hence, the next thing to do was a simple reverse DNS lookup :

Name: www.aiminghigher.com
Address: 216.198.222.137

5. Well, "aiminghigher.com" eh? It doesn't add up. It could be another website on the same shared host. I don't have time to go really deep on this one, so I try one final and very simple test. I paste the purported link, "www.abnamro.com/Bollywood", into my browser, I get a 404 page ("The page cannot be found"), and after a second or so, I get re-directed back to the main page of the real ABN Amro Bank.

This is really some kind of fraudulent and spam-ish advertising going on here. I do not wish my visitors to click on this kind of ads and get directed to these sites either, no matter what kind of CPC (Cost-Per-Click) it nets for me. So I go to the Competitive Ad Filter and add sirez.com to the list. If you are an Adsense publisher and you are reading this, I would suggest that you do the same.

(2008-03-28 00:34:21 SGT) [Tech] Permalink

Most popular blog postings on lowem.log :

1. Singapore SIBOR interest rates fall to 1.5%, lowest since Dec 2004
2. 2009 Honda Global Small Hybrid details released : bigger than Jazz/Fit, smaller than Civic
3. Singapore : Inflation rate could push past 6% in Q1 2008
4. Singapore SIBOR rate fell to 1.25% in Apr 2008, lowest since Aug 2004
5. Fuel prices seen stoking Malaysia inflation in 2008
6. Singapore CPI inflation rate for May 2008 continues at 26-year high of 7.5%
7. Singapore CPI inflation hits 6.6% in Jan 2008 - a new 25-year record high
8. Singapore SIBOR rate falls to 1.31%, lowest since Nov 2004

Featured articles on lowem.log :

1. ABC Guide to Beating Inflation in Singapore and Elsewhere
2. Singapore inflation rate hits new 26-year high of 7.5% in Apr 2008
3. Hyper-inflation : early warning signs
4. Singapore hyperinflation warning signs #2 : Cooking oil price up 75%
5. Bread and inflation
6. Singapore M3 money supply growth vs STI stock index
7. Singapore SIBOR rate fell to 1.25% in Apr 2008, lowest since Aug 2004
8. Singapore : Inflation erodes away bank savings