Don’t use URL shorteners for your your SEM campaigns
TLDR: don’t use URL shorteners that are not in your brands’ control. Make sure they are covered in your infosec setup.
It’s been a while for the blog update. Something strange popped up today, and it was pretty surprising it could happen to a large brand like Home Depot.
Today, while looking for something from Home Depot, I clicked on one of their Google Ads (apologises I was too lazy to type in the domain!).
The ad all looks good, a quick click and I can be on my way.
The first surprise was where the ad result took me, yes it wasn’t homedepot.com
These types of scams are pretty well known so I’ll skip that part about what these people are trying to do.
The hijacked page sets off a few alarm bells for me. My first reaction was to think that my computer had been compromised.
Has my browser been compromised ?
My first thought was to check my browser extensions on Google Chrome. Some extensions can run incognito, but it was quickly verified that this was not the issue.
It’s also worth checking the default search engine, incase it’s been replaced with some other 3rd party one that will filter out some of the search queries.
Has my DNS been compromised?
Second setup as to check my DNS settings, and I updated mine to Google’s DNS (18.104.22.168 & 22.214.171.124) to make sure a rouge DNS server wasn’t getting in the way, it’s possible by connecting to some wifi hotspots that you accept some DNS settings that somehow changed. If this were the case you’d expect the some type of warning to show up, for example the SSL cert would fail on Google.com.
Let’s look at the URL path
So there had to be something going on, and in the end it was quite easy to see. Checking the URL for the ad click it to
Ad Click Target : https://www.google.com/aclk?sa=L&ai=DChcSEwik8oSChPH3AhVSglsKHdORAOUYABAAGgJ5bQ&sig=AOD64_1HsQRM1BDKhvZnKe-Ek2SYaIWLKw&q&adurl&ved=2ahUKEwjv7fqBhPH3AhWbg4kEHRpGCR4Q0Qx6BAgEEAE
That seemed okay, using redbot.org you can step through the redirects, here are a few of them
Tinyurl.com, that looks a bit suspect
So, what’s happened ? Most likely a SEM manager somewhere had used tinyurl.com to do some analytics, and that has been compromised somehow.
Disclosure: I’ve reached out to a number of people at HomeDepot & TinyURL via LinkedIn & Twitter to alert them to this type of attack. But I also wanted to highlight this here incase someone else can share this quicker. P.S. your organisation should maintain an infosec@ email address !