Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    .
    Join Date
    January 18th, 2005
    Posts
    2,973
    Google AdWords account hijacked
    I've just spent the past hour trying to recover from the hijacking of my Google AdWords MCC account, and dealing with thousands of dollars in illegal charges by the hacker.

    Someone hacked into my account (which allows access to a number of my own personal AdWords accounts as well as client accounts), and cleverly replaced a number of existing campaigns with spammy "debt relief" and "lucky software" campaigns with bids at $18 to $22 per click. What's really strange is that someone then went in and changed the text ads to remove the original ad text, and deleted the new campaigns -- it's unclear if the hacker did this to cover his tracks, or if Google security did it (it's probably the former, since it shows my login as making the changes).

    Thus far, I've identified $4,500 in fraudulent activity in one account (even after everything was paused, I'm still seeing the numbers grow as data accumulates); I'm not yet seeing any transaction data in the other accounts but I won't be surprised if I see charges there, too.

    I have just "closed" six of my personal AdWords accounts which have been inactive for many months (until today).

    The worst part is that because of the volume of changes made, and the way that data was altered and overwritten multiple times, I now believe that the only way I'll be able to restore the client account to its "correct" configuration will be to delete all existing campaigns and re-create everything. If we re-launch everything using campaigns and ad groups with identical names, we'll have some continuity of reporting, but I believe we're going to lose all benefits from historical account performance.

    The timing could not possibly be worse.

    Change your passwords. Check your accounts.

    And happy holidays.

  2. #2
    Newbie
    Join Date
    March 22nd, 2006
    Posts
    35
    The same thing happened to me as well. Apparently it is happening pretty frequently now as I scan various message boards. That stinks that it went so deep into both your personal and clients accounts. The good news is Google will take care of the charges. However, the bad news is they will keep your account off until they review all the data. It took about 2 or 3 days for them to take care of everything for me, though I know this does not make up for the account history issues you mentioned.

    Any idea how they could have got your password? From what I have been reading people have concluded it was either phishing emails or a brute force attack. I hope everything works out for you and your clients!

  3. #3
    ABW Ambassador CathyM's Avatar
    Join Date
    May 30th, 2006
    Location
    Torrance, CA
    Posts
    893
    What a horrible thing to happen to both of you. I have also read on other forums about other adwords accounts being hacked recently. I will take your advice and come up with new and stronger passwords.

    I hope things get straightened out for you with Google and quickly.

  4. #4
    .
    Join Date
    January 18th, 2005
    Posts
    2,973
    I now see another $700 in charges in one of my personal accounts, in addition to the $4,500 in charges to the client's main account. Although campaigns were created, edited, and then deleted in the client's secondary account, I am not seeing any charges there.

    I don't know how my password was intercepted. Obviously I've been scrambling to change all my passwords this evening, and I'll be watching my AdWords accounts constantly over the next 36 hours until Google answers their phones Monday morning. But I'm worried that however they accessed the account earlier today, they may be able to get the new passwords.

    I am optimistic that Google will reverse the fraudulent charges, but as you note, the real issue is the loss of traffic for the client during their busiest week of the year. (Google will also lose at least $1,000 and quite probably $3,000 or more due to the stoppage on the account.)


    Holy crap -- I just realized that I haven't yet checked the Yahoo and MSN accounts.

    Added: Whew - no apparent changes in the MSN and Yahoo accounts.

  5. #5
    SEO: A Specialty - Web Design: Slow or outsourced andbeyond's Avatar
    Join Date
    June 18th, 2006
    Location
    The Call is coming from Inside the House!
    Posts
    1,332
    Even hackers agree that MSN and Yahoo isnt worth the trouble usually.

    And are you using webmail like yahoo, gmail, or hotmail?

    many of them have been hacked at times. Then all they have to do is ask for the password to be emailed to them or do a search through old emails.

  6. #6
    .
    Join Date
    January 18th, 2005
    Posts
    2,973
    Better safe than sorry, I guess -- I've decided that this experience justifies the effort of a fresh start across the board.

    I just cancelled my primary credit card, and I'm going to go through and cancel every single bank card (credit, ATM), and I'll also change every single password on every single account. For some credit cards, I'll request replacement cards; for others, I'll just close out the accounts.

    The hard part, of course, will be changing all the information for my various accounts (hosting, phone, utilities, insurance, etc.) that automatically charge to the old credit cards.

    I'll just be thankful that I didn't lose more.

  7. #7
    What's the word? Rhia7's Avatar
    Join Date
    January 13th, 2006
    Posts
    9,578
    Wow, Mark, what a hassle. I'm sorry you have to go through this and follow the procedures outlined at any time but at the "kick off" of the holiday season it's certainly a downer.

    I hope things get back to normal soon.
    ~Rhia7 -- Remember the 7
    Twitter me

  8. #8
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Sounds like a true horror story. Google has slowly made me use their Account set up which gives you one log in for multiple services. I'm not sure that's such a great idea. I guess this should make me take a look at those passwords.


  9. #9
    ABW Ambassador affninja's Avatar
    Join Date
    December 11th, 2005
    Location
    Nor-Cal
    Posts
    651
    Angry
    Yikes! I'm sorry that happened especially around such a busy time of year. Hopefully you can get everything back to normal quickly.

    Aside from making hard-to-crack passwords and changing them frequently, any other safeguards we all should take?

  10. #10
    Newbie
    Join Date
    March 22nd, 2006
    Posts
    35
    Don't forget to check the account tab as they could have created different logins.

  11. #11
    .
    Join Date
    January 18th, 2005
    Posts
    2,973
    Absolutely the first thing I did was to check and verify that no new account logins were created. (However, Google's access-approval process triggers multiple emails that I would probably have noticed.)

    As far as what safeguards to take: I'm manually generating new complex passwords for every login, and I am NOT storing the password list on my computer, but in handwritten form only. I'm also changing my login/user name for many accounts. I'll also create calendar entries to set aside a half-day every 2-4 months to reset all passwords.

    Like John, I'm also taking a serious look at my current use of a single Google login for all Google activity -- I will probably create a separate "reports only" accounts to use when logging in to view Google activity from my iPhone (but those will require separate logins and passwords for each account, a huge pain).

    I also need to re-evaluate the use of "tiered" Google MCC accounts to access both my personal and client AdWords accounts (currently, I have one "master" MCC account, under which I have my "personal" MCC account to manage my personal AdWords accounts, and a "client" MCC account to manage AdWords campaigns for a client).

  12. #12
    SEO: A Specialty - Web Design: Slow or outsourced andbeyond's Avatar
    Join Date
    June 18th, 2006
    Location
    The Call is coming from Inside the House!
    Posts
    1,332
    I think paper is admirable but even riskier. How many people are in your house in a year? Do you shred all paperwork? Can you truly read your handwriting on tough characters?

    I would think about Keepass or something else. Keepapss is free. Roboform highly rated and very automatic.

    I personally wouldnt cancel credit cards. Just watch them like a hawk for a few months. It is hard to get numbers from a website. Easier to put them in.

  13. #13
    Merchant & ABW Ambassador
    Join Date
    May 31st, 2006
    Location
    Houston TX
    Posts
    4,731
    Are you using Google Editor?

    That could be another way that they got into multiple accts.

  14. #14
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    Mark, the exact same thing happened to me. I forget the exact amount that they ran up on my accounts but it was over 30k. I think my password was weak and they just brute forced it.

    I did spend weeks searching my computers for root kits, bho's, etc. But I never found anything. I got hit during back-to-school in August and the lost business from my adwords accounts being tied up amounted to about 10k. Real bummer because I had gone full time in Affiliate Marketing only a couple of weeks before.

    I asked my adwords rep to open up a new account and up the KW limit on it. I was able to get my campaigns going again after about three days, but I had to check the account frequently because fraud filters were frequently tripped. I think because billing information was the same as the hacked accounts. It was probably seven days before things were back to normal.

    As soon as I saw the fraudulent charges I canceled my credit cards. I was able to catch it before the charges went through by about 2 hours. My accounts were credited a couple of weeks later by Google. Now... I put a valid credit card back into my accounts to settle up charges and the 30k of charges went through and then was immediately reversed. That maxed out my credit card for 24 hours... More lost money...

    Now a days I never let my adwords accounts go more than a few hours before I check them. I stay away from Wi-fi and don't use my iphone. I've got anti-virus/rootkit detection on every computer and I don't store my passwords anywhere without encryption.

    Its horrible and can really hurt financially. I'm sorry it happened to you too. If you search WMW you will find 100's of people complaining about the same thing, as well as lots of tips on how to deal with the problem.
    Merchants, any data you provide to Google Shopping should also be in your affiliate network datafeed. More data means more sales!

  15. #15
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    One other thing for everyone... These hackers hit you on Friday's because very few people work weekends (INCLUDING ADWORDS SUPPORT!!) Never let you adwords account go unattended over a weekend...
    Last edited by isellstuff; November 30th, 2008 at 09:47 AM. Reason: clarify who works weekends
    Merchants, any data you provide to Google Shopping should also be in your affiliate network datafeed. More data means more sales!

  16. #16
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    Oh... And the most important tip... Under "Tools" in adwords there is a "My Change History" link. This will let you see everything that has been done to your accounts.
    Merchants, any data you provide to Google Shopping should also be in your affiliate network datafeed. More data means more sales!

  17. #17
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    Eric: Can you expound on how Google Editor may have been related? I'm assuming you mean Adwords Editor....
    Kevin Webster
    twitter: levelanalytics

    Kayak Fishing
    Web Analytics and Affiliate Marketing

  18. #18
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    i've been following these occurrences elsewhere and unique, strong passwords seem to not have been hit. personally, i think brute force is out of the question - G has systems in place all over the globe and would be able to pick this off easily. i think it's more likely that somebody hacked into a forum or third tier search engine somewhere and many people there are marketers and happen to use the same password there as they do for adwords... just my hunch, as nobody using strong, unique passwords has been hacked as far as i know, and i've asked many about this.

  19. #19
    Merchant & ABW Ambassador
    Join Date
    May 31st, 2006
    Location
    Houston TX
    Posts
    4,731
    Quote Originally Posted by Kevin
    Eric: Can you expound on how Google Editor may have been related? I'm assuming you mean Adwords Editor....
    I know that one is able to manage multiple accounts under adwords editor. If that Main account is compromised, it is easy to move to other accounts and compromise those/

    Over here, they call it MCC
    http://www.google.com/support/adword...y?answer=30508

    I am not managing multiple accounts so I would not know or seen the features or working of the MCC.

    It was more of a query as to whether Mark might have used it and if that is a possible way it was compromised. Trying to offer him a possible cause.

    Here are some links you can read up on (not related to Editor)
    webmasterworld.com/google_adwords/3722833.htm
    webmasterworld.com/google_adwords/3749980.htm

  20. #20
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    Gotcha. Thanks for the clarification.
    Kevin Webster
    twitter: levelanalytics

    Kayak Fishing
    Web Analytics and Affiliate Marketing

  21. #21
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    Quote Originally Posted by Donuts
    i've been following these occurrences elsewhere and unique, strong passwords seem to not have been hit. personally, i think brute force is out of the question - G has systems in place all over the globe and would be able to pick this off easily. i think it's more likely that somebody hacked into a forum or third tier search engine somewhere and many people there are marketers and happen to use the same password there as they do for adwords... just my hunch, as nobody using strong, unique passwords has been hacked as far as i know, and i've asked many about this.
    Totally agree about strong unique passwords. I was guilty of using the same e-mail address and password across a host of services both within Google and outside of google. My adwords login was the same one I used for google docs, gmail, iGoogle, google reader, adsense, analytics, webmaster tools, etc.... No longer.
    Merchants, any data you provide to Google Shopping should also be in your affiliate network datafeed. More data means more sales!

  22. #22
    Merchant & ABW Ambassador
    Join Date
    May 31st, 2006
    Location
    Houston TX
    Posts
    4,731
    Quote Originally Posted by isellstuff
    Totally agree about strong unique passwords. I was guilty of using the same e-mail address and password across a host of services both within Google and outside of google. My adwords login was the same one I used for google docs, gmail, iGoogle, google reader, adsense, analytics, webmaster tools, etc.... No longer.
    Here is a suggestion, create a unique email address that you do not share it. It can also be an alias. Something like payperclick@isellstuff.com + a strong passwd.

  23. #23
    .
    Join Date
    January 18th, 2005
    Posts
    2,973
    Donuts wrote: > "i've been following these occurrences elsewhere and unique, strong passwords seem to not have been hit. personally, i think brute force is out of the question - G has systems in place all over the globe and would be able to pick this off easily. i think it's more likely that somebody hacked into a forum or third tier search engine somewhere and many people there are marketers and happen to use the same password there as they do for adwords... just my hunch, as nobody using strong, unique passwords has been hacked as far as i know, and i've asked many about this." <

    I agree with most of this. I certainly don't think that "brute force" would work to find a Google password. But for my Google AdWords account, I was using a strong, unique password (longer than 6 characters, containing no dictionary words or other "real words," and including at least one letter and at least one number), and this password was not used on any other sites. Nor did I enter my Google password in response to a phishing scam.

    It may be relevant that my MCC account was hacked less than 24 hours after I activated a new client account (entering credit card info, uploading campaigns, and activating the campaigns -- although the account itself had been created as a "placeholder" several months ago without any campaign or credit-card data). Interestingly, the hacker launched campaigns in the new account plus two pre-existing accounts -- but did not generate any traffic in this newly-activated account, only in the two pre-existing accounts. I learned of the hijacking when I received a "disapproval" email from Google, rejecting a "debt relief" ad -- this ad, which seems to be identical to an ad also launched in another account, might have been scrutinized more closely (or sooner) than the others because it was in a new account.

    My theories (in order of probability):

    (1) Someone electronically intruded into my computer (in a way that I've still not been able to detect), and either captured the password or actually remotely accessed the computer to use my browser to execute the changes (I'm still waiting for Google to identify the IP address used to make the changes -- and regrettably I don't expect them to do so, which will make it impossible to research further and will also make it meaningless to file a police report.) The key factor that supports the "remote access" theory is the fact that AFTER I changed the password, I later returned to the computer and was unable to login using the new password -- but I was able to login by letting the browser use a password stored in the browser! This happened TWICE over a period of several hours. Once I realized this had happened, I pulled the plug on that computer, and that bizarre behavior has not repeated since then.

    (2) Someone managed to get my login and password data from Google (e.g. from an employee or contractor, or someone who hacked into Google's internal database).

    (3) Someone "sniffed" of captured packet traffic somewhere between my computer and Google, or between Google HQ and its staff (e.g. its offshore reviewers), and decrypted or deciphered the password from that traffic.

    (4) Someone used some special form of access (such as the access used by Google's support staff to view client accounts) to log in as me and make changes.

    (5) There may be a specific security issue with the iPhone: after I changed my password, and even after I manually logged out of Google Accounts from the iPhone, and then even after my account was disabled by Google, the iPhone was still able to access the iGoogle bookmarks associated with my Google Account login (indeed, I can still load the iGoogle page, click on the bookmarks tab, and view and click the iGoogle bookmarks associated with my now-disabled Google Account, even though I am not actually logged in to that Google Account).

  24. #24
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    your number #1 probability item (and some of the others) leaves me wondering why these folks would target adwords accounts to monetize their thievery... seems like bank accounts, retirement funds, credit card data and all sorts of other stuff would likely be their intended take... monetizing thier theivery via adwords is a stretch for me. crap, just picking google's baby to mess with would be very stupid for a common id thief, remember those portable data center trucks g bought, and their data centers all over the place... G would be the last group i'd think i could hide from, so i suspect these aren't data thieves, but somehiw have access to marketers data and are using the only method available to them to monetize what they've managed to possess...

  25. #25
    ABW Ambassador ladidah's Avatar
    Join Date
    October 15th, 2007
    Location
    MA
    Posts
    1,888
    Quote Originally Posted by Donuts
    G would be the last group i'd think i could hide from, so i suspect these aren't data thieves, but somehiw have access to marketers data and are using the only method available to them to monetize what they've managed to possess...
    Any of the 10,000 people who may be layed off could also be suspect. The likelihood of just one out of the 10,000 (maybe disgruntled/upset) employees knowing ways to get data access is great.

+ Reply to Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Google Adwords - Account Under Review
    By ThePooh in forum Commission Junction - CJ
    Replies: 4
    Last Post: August 1st, 2009, 12:23 AM
  2. Google results hijacked - heads up!
    By c4 in forum Search Engine Optimization
    Replies: 4
    Last Post: June 11th, 2009, 05:27 PM
  3. Check you adwords account [BUGS]
    By Mack in forum Search Engine Optimization
    Replies: 18
    Last Post: February 20th, 2007, 06:38 AM
  4. Google Hijacked?
    By Rick K. in forum Search Engine Optimization
    Replies: 7
    Last Post: May 27th, 2005, 01:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •