The feature is intended so that you can have a link "to" http://trackersRus.com/ which forwards to http://ebay.com/, without the user seeing that bit of ugly.

It's been used in campaigns for years, I've reported probably hundreds of these distributing malware.

That kind of situation is usually detected when ads are entered into the Google Ads* platform for review, with ads then rejected for "destination url mismatch". One thing checked is that the final destination url after all redirects matches what is specified in the ad's final url field.

I suspect the scammers here are somehow faking the destination url for Google's bot checker to pass the Google checks and then serving different destination urls to users who they believe are not Google bots.

* Google Ads is now the correct branded name. No longer called AdWords as in the title.

Most browsers support a lovely feature where the a tag has a ping attribute, which is intended for more or less this use case.

https://support.google.com/google-ads/answer/7544674?hl=en

Then set up an explicit 301 or 302 on example.com to make this happen, don't hide it in the ad-serving layer.

I'm sure it's easy to find their bot IP's too. Just make a bunch of terrible ads that nobody will click and see who visits the url.

Google needs to abolish this link policy, I don't see how it's enforceable

Wouldn't work - they do periodic checks after approval. Something more sophisticated appears to be going on here.

>Google needs to abolish this link policy, I don't see how it's enforceable

Link analytics and link trackers are perfectly legitimate. There are many situations in which it is necessary or desirable to go via intermediate urls before the final destination. Throwing out the baby with the bathwater definitely isn't the answer here.

What if you randomly redirect, say, 95% of clicks to eBay and take the remaining 5% to your phishing site? Each of Google's periodic checks would only have a 5% chance of catching you, but if you can get enough impressions over eBay's legitimate ads (which is an entirely separate facet to all of this), you'd still get a ton of bites, because so many people get to eBay the way Aunt Sue does.

Better yet, your redirect service could look at the client IP address and only redirect to the phishing site if it matches a known range for, say, Comcast or Charter. Or use it to drill down even farther and set up multiple spear phishing campaigns.

It seems like there's no shortage of ways to abuse this, and for Google to allow redirects without some sort of robust verification that the advertiser owns the destination domain (such as @gnud's certificate-based suggestion in a sibling comment) seems downright negligent, if that is indeed how they operate.

You can achieve the same thing without redirects using URL parameters or the referer field. Google should ban any destination that doesn't match the sites domain. It's an unfixable security risk that's being actively exploited

Facebook closed my report as 'not against ad policy'.

Anyway, this is actually easily fixed without losing tracking/campaign flexibility, by requiring ad orders to be signed by a certificate valid for the target domain, if the URL is different from the displayed one.

Heh, makes you wonder, what's the ad policy? Sounds like: 'They pay us money, so must be legit?'

Google's solution ensures that the marketing people get what they want without the technical people standing in the way.

I get that there’s workarounds like changing the redirect after Google checks it, but there’s solutions to this too (like running checks every so often to ensure the link redirects to the same domain).

For this purpose there's a lot of room for false positives. It doesn't matter if some actual users actually get redirected to ebay.

But then what about almost-uri text. www.yourbank.com without the https://. Or lookalikes "https:\\" or... what about proxies? does https://l33th4x.com?proxy=www.bank.com count if the text is www.bank.com?

Filtering crap like this sounds reasonable but very quickly becomes an exercise in what I call "Giving a mouse a cookie." Now you have a huge complex chunk of code to parse and filter URLs/URIs and every look-alike you can think of; Did you remember that automatic deserialization that kicked in when your values were sent to a callback?

2 days of work later, your new build has fancy-pants a tag filtering that contains and unknown number of bugs and phishers just register and use new domains that look kinda legit and follow your new text/link rules. www.security-wellsfargo-audit.com/login looks legit to the mark, your mail client allowed it so it must be OK.

This sounds an awful lot like how software development in general works...

Isn't all software just some version of "Giving a mouse a cookie."?

"If you give a mouse a cookie, he'll ask for a glass of milk"

"If you give a mouse a glass of milk, he'll ask for a straw"

And the story keeps going like that, with more and more requests coming in. It's almost like never-ending scope creep, except the book has an infinite loop in it.

And where do you draw the line? Should it flag a link with text "htp://ebay.com" that goes somewhere else? "ebay" with a href somewhere else?

There's no technical workaround to educating users.

I think it’s silly to argue against this. It’s like saying “computer security is hard so why bother at all.”

It’s a continued arms race, where you continue to make things harder and harder. This strategy is working the rate at which people are hacked on platforms like iOS is a fraction of what it used to be like for general computing. There will always be security holes, but you plug them as you find them just as you create mitigation’s against classes of problems to the best of your ability. Why make it easy for the attacker?

I'm clearly not saying don't do it at all, I'm saying that this approach won't succeed at anything other than making developers feel like they're Doing Something™. Actual spam filtering and 2fa are examples of real security, showing users the URL is an example of security theater.

The corollary is the nonsensical "security is hard so let's force non-technical users to do it".

Only Brick wall UX works. That's what WebAuthn does here. Don't offer the user a way to "continue anyway", don't ask them confusing questions, just a brick wall and no way forward.

The user will probably be emotional. Scammers work hard to make your users afraid, or horny, or confused, and so they really, really want to give their bank credentials to https://honest-this-is-your-bank.not-a-scam.example/tmp/back... and nothing you can tell them is going to make them stop wanting to do that.

The brick wall doesn't care about the user's emotional state and will stubbornly resist. Maybe the user will eventually realise it was a scam, maybe they won't, the brick wall doesn't know or care either way.

Brick Wall UX even helps the software engineer. When a manager asks if you can't just add a banner that says "Hi, this is our new web site, please continue to use your old credentials" and thus undo every second of training about phishing your users ever got the answer with a Brick Wall UX is that literally can't work. No matter how much they beg and cajole and swear it's just a temporary workaround, it will not work at all, so they're just going to have to go tell the Big Boss that no matter how much was spent on new-brand-name.example the login system will have to remain forever on login3.long-forgotten-brand.example because that's what some idiot picked five years ago then it was set up and too bad.

I'm of two minds about this personally. On the one hand, I appreciate the argument that the only thing that can prevent businesses from doing something bad, stupid or abusive is if it's legally, physically or by design impossible. On the other hand, as a pro user, I do appreciate the ability to override software when it mistakenly tries to prevent me from doing something.

There are enough examples in the past that clearly demonstrate that developers are not benevolent or competent enough to have complete and final control over the software their users run. Sometimes this control even results in the exact opposite of what the developers originally intended, as was the case with firefox addons just a couple of days ago.

Ultimate control over software should always reside in the hands of the user.

This is really the core problem in security; the world is designed for people like this by people like this, without any serious thought for the implications for the overwhelming majority of users. Do not include "I know what I'm doing" escape hatches, and security will magically get better for the many at the expense of convenience for the few.

Let's give every user a tablet that has two buttons. You press one, you get a new cat picture. Press the other to "like it". That's all the user needs. All data exchange is end-to-end encrypted from the cat picture provider to tablet's input&video drivers - can't risk the spooks^Wcompetition knowing what they're looking at. They don't need to do banking - like everywhere else, they just sign a three-party contract with the tablet provider and the bank. This way, the Bad Guys can't steal users' money! Oh, the users also want to watch pictures of squirrels? There's a separate tablet for that pulling from separate provider; it's insecure to let these mix on one device!

Seriously, this is how the world would look like if security got its wish. There is a point past which security is essentially enslavement, and that's true both in physical security and computer security.

The credentials in these protocols depend explicitly on the verified FQDN of the server (and thus you can only use this with HTTPS). When scammer.example asks for your credentials there literally isn't a way to give it credentials for realbank.example. No matter how sure you are that you're a very smart person and definitely need to give scammer.example access to empty your bank accounts, no way to do this is available. Maybe next week you'll still be angry you couldn't do this, maybe you'll realise it was a scam, don't care.

This is why Google reports zero successful phishing for their own systems. U2F is mandatory there. Their employees aren't magical, some will fall for scammer.example and they will be really frustrated that they can't use their Google login like it says, and some will scream at their help desk team about how stupid this is, how it's totally broken, and even after they demand that the help desk person be fired and they change their password six times and write a ten page rant on their blog they still can't give their employee credentials to the scammer and Google remains safe.

I think (or at least hope) that most people are in the habit of hovering over links in email before clicking them. And I really hope that mail readers never start implementing Javascript. As for web apps, that's the Wild West, and a small fix like this isn't going to tame it.

    a:after {
        content: attr(href);
        display: inline-block;
        padding: 0 1ex;
    }

Either way, "the hard part" is generally undesirable to users because it compromises their privacy in order to manipulate them.

My eyeballs are not free. I hate advertising and advertisers. I have no pity for the advertising platform that cheaps out on security just because it's expensive.

The use case that this breaks is doing click tracking on links using redirects from a unique url to the actual url (which would be the url displayed in the link text).

To avoid breaking this use case, the best remedy would be to prompt the user with a security warning upon clicking a mismatched link prompting them the verify the url in the url bar. The issue, is that doing this selectively teaches the wrong security practice to users: that they can improve their safety by looking at the link text rather than at the url bar after clicking the link.

I, personally, would be quite happy for this use case to break.

Why? If you don't want to be tracked it is pretty easy to avoid. You should already only be getting/opening emails you care about. Emails you don't care about should be unsubscribed from and reported as spam. Granted that links should only be tracked in email you do care about, why do you not want those people to have the information they need to refine and improve these emails so they can better serve and inform you?

I would assume that happiness depends on how this use case is broken.

Would you be happy if the email just doesn't show up or gets shunted to spam? Even if it is a password reset email or a email verification email?

Would you be happy if the link just failed to open, forcing you to copy and paste the link text manually? Why not just do that on your own anyway? No need to have the email client block this for everyone just to suite your tastes.

This leaves us with just the behavior I mentioned above and my argument against it.

Well, it comes at the expense of 1) making things slower for me and 2) making it more difficult to discern phishing emails from legitimate ones. I also find it difficult to believe that all of this analytics is actually doing much to inform me about things I care about.

> Would you be happy if the email just doesn't show up or gets shunted to spam?

It's unfortuate, but I would understand it if it happend. I certainly hope most phishing emails would end up in my spam.

That is a valid reason, but I suspect the extra delay of 2x your ping when you click on a link and wait for it's target to load is fairly negligible for most people.

> 2) making it more difficult to discern phishing emails from legitimate ones

You shouldn't be relying on link text to discern phishing emails, that is what the client checking SPF records and the user checking the contents of the url bar are for.

> I also find it difficult to believe that all of this analytics is actually doing much to inform me about things I care about.

Why is that? I would think it is pretty obvious how A/B testing click-through rates for emails could easily help make those emails more informative and easier to use.

If the speed cost and privacy loss is not worth it to you, having the actual (non-tracked) URL available in the link text atleast gives users the option to opt out of that tracking.

If you want to track clicks, why not use a subdomain instead of something.weird3rdparty.com? And why would the link text look like a URL? I don't see why

  <a href="https://possiblephishing.com/n1bfsd?j1h7d8Sda">www.ebay.com/viewOrder</a>

  <a href="https://www.ebay.com/viewOrder">view your order</a>

> Even if it is a password reset email or a email verification email?

Why would you want to share password reset info with a third party? I get the "easy tracking" argument for newsletters (but I'm pretty sure most are not GDPR compliant), but for password reset emails? why?

> Would you be happy if the link just failed to open

Why would it? You can put a working link in the email directly - you've proven that by putting a different link in the email than the one you pretend you're linking to.

I don't see what relevance a subdomain has here. As the original issue was described, it was blocking any links where the url doesn't match the link text (if the link text is a url). This means that even tracking that is done on the same domain (e.g. example.com/emailTracking/{{unique_string}} redirects to example.com/viewOrder/412) would be blocked.

If you start only blocking those links if the domains don't match, things become more complicated to implement and test, especially once you consider subdomains, etc. The question remains, what is the point of this and is it worth it? Are we really promoting good security practices or just adding security theater cruft?

> Why would you want to share password reset info with a third party?

Who said anything about a third party? As you mention above, this blocks people who are doing their own tracking on the same domain. I don't have any numbers, but I assume that ESPs like MailGun and SendGrid are probably the most common third parties used to track email link clicks (since they will automatically substitute link urls with trackable rediracts if you enable it.) In this case, that third party already has access to the entire content and metadata of the email and giving them link click data is a relatively small addition.

> Why would it? You can put a working link in the email directly - you've proven that by putting a different link in the email than the one you pretend you're linking to.

Email links already work one way, perhaps if Apple implemented this feature eventually every email sender out there would switch to links that would work in Apple mail again. In the mean time, Apple has to deal with confused and dissatisfied users wondering why links in their emails don't work.

How would you implement link url / text mismatch blocking? Have you thought through the consequences for your users and their understanding of security or satisfaction with your product?

We're taking away easy attacks, just like blocking known spammers from delivering emails to your MTA. Yes, it doesn't solve spam completely, but it reduces the amount. Add other things like SPF, DKIM etc and you can identify even more malicious emails and warn the user. And certainly, the OP's description mentioned matching urls (though the text would have to match the href, so "ebay.com" would likely be fine for "https://ebay.com/something"), but again: what's the harm in linking to the actual URL? Why the need to hide it, IF you already make the link text look like a URL? I'm sure there are also reasons why a site operator wants to avoid SSL, but I do like the fact that many browsers do warn users when (potentially) sensitive data gets transmitted via plain text.

> Who said anything about a third party?

The super majority of click-tracking runs via third parties. And yes, every additional detail you share with them (PII has gotten a lot of attention lately, and I'm beginning to come around and love GDPR) will put your users more at risk - now it's not just your database that risks exposing your users when a leak/breach happens, it's also your email provider's.

> How would you implement link url / text mismatch blocking? Have you thought through the consequences for your users and their understanding of security or satisfaction with your product?

I'm sure that it's not trivial, but few things are, so rejecting it for that reason doesn't sound like a good idea to me. "Hey, let's not do SSL, it's not that simple to build and might inconvenience a user that has their clock set 100 years into the future"

What attacks are blocked by this that are not also blocked by using SPF and warning users when SPF is not present or doesn't match?

> what's the harm in linking to the actual URL? Why the need to hide it, IF you already make the link text look like a URL?

This is practically irrelevant. We are discussing the costs/benefits of the implementation of a client side feature, not the ideal form that all emails sent should adhere to (which is a far broader and more complicated topic.)

However, I do have several practical reasons why the link text and url matching can have negative consequences in practice:

Third party tracking issues:

1) Practical difficulty: Most link click tracking is done via third parties (usually the sender's ESP). No click tracking tool I've seen offered by an ESP provides any way to use the link url as the link text (since the link url is usually processed and rewritten by the ESP after the email is composed and sent.)

2) Confused users: The average user has no idea what an ESP is and could be needlessly confused / frightened when shown links so some random domain even when the operator of that domain is trusted by the sender.

First party tracking issues:

3) Removal of user choice: If you only give the track-able url in both link target and text, you FORCE your users to be tracked, rather than giving them the option to select the link text and paste it directly into their browser.

4) User experience: The url that is shown in the link text can be much more informative as to what it does (e.g. shows you your order) rather than an uninformative, generic click tracking link.

> The super majority of click-tracking runs via third parties.

Can you find me some email link tracking services that are not also involved in sending that email in the first place?

You do expose additional information about the user's clicks and IP address. If this is something your company is concerned with, you probably need to implement first-party click tracking both for email AND your website. You should probably also run your own ESP.

If you are trying to promote the use of first-party click tracking (or just discourage third-party click tracking), it would be far better to block all links that go to domains that don't match the sender's domain (or alternately that don't match the sender's domain's SPF record.)

> I'm sure that it's not trivial, but few things are, so rejecting it for that reason doesn't sound like a good idea to me.

I am not rejecting it because it's not trivial. I am rejecting it because thinking through how that implementation would realistically work makes me thing that it would accomplish almost nothing and possibly even negatively impact users' understanding of security.

You seem to think that is not true, so I am asking how this feature can be implemented in way that has a positive impact on security.

My biggest concern is that we shouldn't do anything to teach people that sometimes they CAN trust the link text rather than needing to check the actual URL they end up at. As far as I can think, all the attacks that this stops are better stopped by checking SPF and strongly warning users when it is not present or does not match.

I don't believe that "copy link text to avoid tracking" is a relevant part here, so I still don't understand why you'd want to give the impression of a text-link with a different URL. I see lots of malicious reasons, but I don't see valid ones where there is a strong case that this is a necessity. Why should we teach users that "don't trust your lying eyes, just click on whatever" is ever a good idea? Why shouldn't we teach them to not touch something that is trying to deceive them? If we teach them to ignore these things, we're making it easier for scammers.

Sure, blocking links to domains that don't match the sender's may be something as well, but I do see lots of cases where that's totally normal, i.e. me sending you an email saying "hey, I read your blog entry, and this site here does what you want". Mind you, that's just a link, it's not a link that is trying to confuse you about it's true target.

> You do expose additional information about the user's clicks and IP address. If this is something your company is concerned with

If any company isn't concerned with that, they either don't do business in Europe or they should talk to a lawyer. ;)

> If you are trying to promote the use of first-party click tracking (or just discourage third-party click tracking)

Neither is my intent, I just don't see valid reasons to pretend you're linking to one URL when you're linking to another when there's an easy alternative: put words into the linktext, not URLs.

It's like FB's idea to pressure users into giving them their passwords for their email account. Terrible idea, no valid business case ("it's easy and we can really check that they are the owner of that email account" isn't valid), but lots of reasons for malicious actors, so somebody telling you "give me your email password" is a warning sign for everybody. Trying to confuse users about what URL you're linking to is as well.

Email A/B testing is always about marketing and trying to manipulate users, in my experience. If the content is the same, but a different button gets more clicks, it's hard for me to believe users are finding a benefit in that. I think it's far more likely that the content isn't all that compelling, but the UI tweaks managed to tickle some part of the reader's subconscious in the right way for them to click.

In other words, emails with quality content don't have marketing teams running them.

This is pretty much like all targeted advertising. The benefit to the company is very clear, but I don't think I'd be missing much if email analytics went away.

Just as a personal opinion that I'm sure plenty of people disagree with, I dislike it when products are hyper-customized based on a lot of analytics. For instance, Netflix has a ton of data on me, but all of their tests and micro optimizations make me use the app less. I would much prefer their product if they threw all of that info in the trash, rolled the UI back 5 years, and showed me more generalized start ratings again.

I mean can you honestly tell you read the Google privacy notice or do you just click the down arrow till the ok box appears?

Yes it is annoying. My point is if you want to be annoying, you should be annoying the user when they visit ANY external links as trusting the link text isn't a practice that should taught/encouraged.

> almost every one who isn't "techy" for lack of a better term won't even bother reading it and just press ok.

That depends on how short and well worded the alert is. However, there is certainly an attention budget that can be used up with pointless / low value alerts (which is why I would assume that Apple did not go this route).

Phishing attempts will mimic real emails, so they will do the same.

It's even been done to youtube.com before! Clicking ads is inherently dangerous, as they are allowed to show URLs which do not reflect the URLs they will actually route you to. You should never click on an ad.

This is a scenario that violates any reasonable convention of good web behavior, but Google won't fix it because the advertisers are how their bills get paid.

However, when you hover over a Google Ads link, it does not do this. It shows you a friendly URL for the destination (such as https://www.ebay.com) but when you click on it, you get redirected with a bunch of tracking stuff added or even through a URL not on the ebay.com domain, as shown in this "exploit". In fact, even if an advertiser were to use a "clean" link as the destination, you first get redirected on that click through a google.com URL, even though the hover text is still lying about the destination.

I'm not even sure what it's doing here, there's some neat JavaScript in play. The hover text shows the "clean" URL, but if I inspect it, and then hover over it again, it shows the real redirect URL through google.com.

Pretty evil huh?

Viglink and Skimlink do this for affiliate programs, which is somewhat legitimate.

js websites cannot be trusted

I used to run

   if((event.target.tagName.toLowerCase() === 'a') && (event.target.childNodes[0]) && (/^(http?:\/\/(www\.|encrypted\.)?google\.[^\/]*)?\/?url/.test(event.target.href))) {
      var matches = /[\?&](url)=(.+?)&/.exec(event.target.href);
      if (matches != null) {
        event.target.href = unescape(matches[2]);
      }
  }

on Firefox

If I were eBay, I'd be getting my lawyers on this immediately. Every dollar getting paid to Google for this ad is a dollar out of my revenue, and a lost customer, and is illegal.

https://en.m.wikipedia.org/wiki/Rosetta_Stone_Ltd._v._Google....

Pretending to be a competitor clearly violates trademark law. But I somewhat suspect these fraudsters aren't that concerned with trademark law.

https://en.wikipedia.org/wiki/Rosetta_Stone_Ltd._v._Google,_...

We already have a legal term for people that make money by misrepresenting something, it's called fraud.

Sure, you can tell me it will still be a cat or mouse game and that laws aren't gonna reach into whatever sort of clickfarm network exists far outside of US jurisdictions, but make it so people are held accountable for this kinda stuff.

I'm no fan of the carcereal state, I'm not suggesting that we throw people in jail or drone bomb their server farm, perhaps large fines and getting banned making ads across any platform would work. I dunno, just seems there are not many incentives against this sort of behavior in an ad-dominated internet.

I don't know any country where anyone goes to the police when they had a malware infection. It's a little like countries where there is no point going to the police for theft: nobody was killed so the police has better things to do. Here too, if you're not a huge corporation with millions in damage, they won't even look at it, even if you supply logs that point to an IP within their jurisdiction. (Example of a few years ago in the Netherlands: employer was hacked, hundreds of customer websites taken offline, IP address came from a home connection in the same city as we were in, police took the report straight to /dev/null...)

The only way to get anything done legally is by starting lawsuits yourself, which doesn't work for criminal cases, but oh-so-conveniently works for online copyright infringement.

A nitpick, but if that was the definition of fraud, most of existing advertising would land people in jail. Unfortunately, laws around advertising are way too lax.

It's definitely not a technical problem, but the technical issues discussed are a symptom of it. They're enabling scummy behaviour in order to profit from it.

I agree with you both about advertising being generally an awful thing that is almost always solely designed to manipulate someone rather than give them information, and that the laws are too lax, but this sort of YOU HAVE A VIRUS advertising would be illegal.

(Then again it's barely any worse than the postal junk mail I get designed to look like a sort of official bank repossession notice trying to get me to buy some scammy insurance...)

1. https://twitter.com/sephr/status/1056626456770428929

2. https://twitter.com/sephr/status/1055751684146655232

Now I can only assume two things...

1. Some number of those ads were scams 2. Some large number of people just blindly click on the first thing they see below the search box as long as it's close to whatever they search for.

Somewhat related... always surprised to see what search results come up in the IOS app store first for whatever app I'm searching for at the time. It's usually something else, like, search for Uber, first thing that comes up is Lyft.

Google will not change any rules to forbid bidding on brand names because they are making a ton of money of it. Think of something like amazon paying more than $1 for every click just to not loose any potential customer. Adwords is a money burning system.

In my experience, you can try, but you'll get 0 impressions. Not sure how this works for very generic brand names though (e.g. "band-aid")

Or am I not getting some joke?

A high quality score gives you an effective discount in the ad auction. You might only need to pay $0.01 for that ad, whereas your competitor would need to pay $1

That's BS semantics. Their algorithms are based more on the age of your domain and other technicalities, rather than some hypothetical meaning of "search intention".

Today you're much more likely to get directed to some SEO-optimised highly monetised blog content because they bought an incredibly old domain name rather than what you're actually looking for.

We can quibble about the philosophical role of modern search engines I guess, but the basic idea is just that it should be easy to defensively bid on your own thing.

For all it is, allowing competitors to bid against each other just makes them more money. And the truth is that the customers who would click on a Lyft ad for “uber” query would not care if it was Uber indeed - as otherwise they would be intelligent enough to find Uber as a lower match.

So frankly “being the canonical source for the brand is a steep discount” is not their policy and I don’t really see how that policy is even motivated, financially or in terms of user-friendliness.

One of which is "dwell time" and another is "bounce rate". Both those correlate highly with how well the site matches the users intention.

Bounce is mainly irrelevant as we mostly use Google to find a particular page on a website.

I worked in AdWords 12 years ago and this was dominant. Not sure how it is today.

When this happens it's usually an ad, isn't it? Unfortunately, ad blockers don't work in the app store.

[1] Back when I worked in the business this was only possible in the US, for legal reasons I didn't fully understand.

If they start actively phishing users this way they're solidly in illegal hacking territory on a pretty massive scale. What they're currently doing is "only" a "growth hack" to get more people on their site instead of the competitor's site.

I would have been weirded out by this specific ad, because when I worked at eBay one thing that got highlighted in a companywide announcement was that some executive had decided to stop running ads for eBay against google searches for "ebay", because that is obviously pointless. (And that this saved a ton of money on advertising without impacting traffic at all.)

With a result like that, I wouldn't have expected them to go back to advertising ebay.com on searches for "ebay".

That's probably why the malware author targeted the eBay keyword. Without any real competition, it would be cheaper for them to win top of page placement.

Google can set this on the headers for outgoing redirect link they already use for AdWords and search results. It would simply make sure that after all the 30X redirects, you actually land on the expected domain.

I can't believe this doesn't already exist. It would be widely useful even outside of ad-tech, when you need redirects for country specific subdomains for instance. And by the other replies on this thread it would fix an ancient security hole at the same time. Anybody want to make an RFC?

It's sad that we don't hold one of the largest tech companies in the world directly accountable for linking users to phishing scams from spots they've sold to third parties. Instead we discuss how an HTTP header could make it easier for them to lie. Meanwhile, they get paid for facilitating scams.

> It would be widely useful even outside of ad-tech, when you need redirects for country specific subdomains for instance.

I don't see how that is the case. If I own the hosts and names involved, I know where my links and redirects between the two lead and don't need the client to ensure that it's correct.

My aunt's android was slow as hell and had lock screen ads, how is this possible?

Be kind to your relatives, install an adblocker.

It seems his old site about The Island ECN is archived at http://josh.com/oldindex.htm

Check it out if you have the slightest interest in electronic and high frequency trading!

Imagine a link to your bank or crypto exchange, and it takes you to a phishing site - boom - money gone.

It reminds me of caller-id spoofing. Yes, there's a legitimate use case for it. But don't just throw security out the window to enable it, especially when there is a clear and obvious way to abuse it.

If I were to scam people I'd do my homework. But the infamous "just do the minimum of a minimum" quality issues that region is so notorious for are present even in scams.

A very tiny image so you can't actually read it either.

[0] https://en.wikipedia.org/wiki/Syskey