Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites.

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS
&num=123456&adurl=http://www.spammersite.com

At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end.

One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service.

http://www.google.com/pagead/iclk?…adurl=http://download.nai.com/…/win_xdatbeta.exe

The preceding example downloads a McAfee signature file in executable format.

Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these redirects working for known bad file types or for spam and malware sites.