Ever more sophisticated, cyber criminals are now stealing passwords by tricking people into clicking on Google ads. And yes, that means they're having to shell out hard-stolen cash for them. Using Sponsored Links, criminals are pretending to lead people to authentic sites - only to take them on a phishing trip.

As flagged on the McAfee Avert Labs security blog, an instance of this has been uncovered. The main problem is that Sponsored Links hide their destination web address. Normally when you hover over a link, your browser will display the destination address in the bottom corner of your window. That's not the case with Sponsored Links.

"To get a sponsored link, you actually have to agree to pay for your clicks. And as this link was the top sponsored link, they had to have paid more money than other sponsors," explains McAfee's Allysa Myers

"[The link] would then direct them to a malicious site which contains a script which we detect as JS/Wonka.

"This site...contains a number of exploits. There are two particularly notable exploits in this lot - one for a recent QuickTime vulnerability and one for the ANI vulnerability from last month.

"The end result of this script is that it installs a downloader, for which detection is being added as Generic Downloader.ab. This downloader then downloads a PWS-Banker trojan to steal your online banking credentials."

Looping techniques

That lot sounds complicated, but basically clicking on the link sends you to the malicious site which downloads a trojan to nick your details.

Myers says malicious use of Google's many facilities isn't unusual. "In the past, we've seen looping techniques used for index hijacking in order to increase Page Rank, so that a page will show up higher in the list of returned results in Google's search results."

Google has now terminated the relevant advertising account. We can only wonder what the return on investment was like.