Google Inc. yanked paid advertisements linked to some 20 search terms that online criminals had hijacked to steal banking and other personal information from Web surfers looking for the Better Business Bureau and other sites.
It was unclear how many people were affected before the breach was discovered this week, but computer security experts said Thursday the attack appears to be isolated and only targeting Windows XP users who had not properly updated their machines.
They said the attack was unlikely to undermine Google's core business of selling lucrative advertising links, which made up the bulk of the Mountain View-based company's $3.08 billion in profit in 2006 and $1 billion in the first quarter of 2007 alone.
Google said it dismantled the offending links and shut down the problem AdWords accounts Tuesday. The company is working with advertisers to identify any other malware-loaded sites that might be on the network, it said.
"We canceled the affected ads as soon as we were made aware of the problem," the company said in a statement. "Overall, Google is committed to ensuring the safety and security of our users and our advertisers. We actively work to detect and remove sites that serve malware to our users both in our ad network and in our search results."
However, the experts said the infiltration of the Web's largest marketing network raises questions for the entire search industry about how to screen advertisers for those with nefarious motives.
The attack targeted the top sponsored links tied to Google search results, installing a program on victims' computers to capture private information used to access online accounts for 100 different banks.
"This is serious — there's confidence in the links that are at the top, whether they're sponsored or not," said Nick Ianelli, an Internet security analyst with the federally funded CERT Coordination Center at Carnegie Mellon University. "It's going to affect the whole industry, not just one provider."
The scheme, discovered by security software firm Exploit Prevention Labs in New Kingston, Pa., involves a ruse by online criminals to fool Google searchers into clicking through a rogue site loaded with malicious code.
The criminals created their own Web site and outbid legitimate businesses in Google's AdWords program to secure prime placement of ads linked to popular search terms. Users who clicked on those ads were then routed to the booby-trapped site before being sent on to the legitimate destination.
Ken Dunham, director of the rapid response team at VeriSign Inc.'s iDefense Intelligence, said criminals targeted Google's AdWords service in a similar manner in a 2005 "phishing" attack.
In that case, the criminals created a site that mimicked a well known retailer, placed an ad on Google, then stole users' credit card and other information when they tried to order products, he said.
Dunham said Google likely implemented more stringent authentication policies for its premium advertising members after that incident. However, he said it would be too costly to impose the same verification procedures for all advertisers.
The current incident raises questions for search companies about how they screen members of its advertising network and drives home the message about keeping up with security updates, Dunham said.
"Attackers have been doing this for some time _ the old dog is still doing old tricks and it's working," he said. "We need to realize this is a known tactic, people should be aware of it and identify when this could be an issue."
Roger Thompson, chief technology officer for Exploit Prevention Labs, said Thursday that no further attacks of this type had been discovered, "but the exploit site is still live and serving, so if someone finds a way to hook to it, it'll fire."