Hacking Google Adwords – Defcon Panel recap

OK, I’m in the hacking Google Adwords panel and our speaker, Stankdawg, is

explaining how he spent $20 to setup his Google AdWords account and how he didn’t get what he wanted out of it and that

made him really mad (note: at least 50% of each panels has to be spent talking about how stupid it is to piss off a

hack and/or making fun of people who make insecure products”it’s very annoying. We get it: you rock, they suck”move


adwords disclaimer Stankdawg is upset because they keep canceling his account

for violations and he is really upset that they charge $5 to start up an account that is setup by a machine with

no cost (note to speaker: who cares, it’s five bucks? It’s Google way of making sure people take it


He is also mad about how Google AdWords will automatically slow ads that are not working, eventually turning them off

and charging you a $5 re-activation fee it you want to run them again. I agree with him this is a pain in the neck, but

again, who really cares. Google has to put some limits on this product because it’s a business. Turning off ads that

don’t work makes their network of ads more profitable. He reported that Google is moving to a quality score for ad

performance at some point soon. Apparently this would give people making Google Adwords ads an idea of how good they

were doing ahead of time”before they get turned off. OK, I can read this at Jensense”where are the hacks?! The panel is

*hacking* Google Adwords. Give us the good stuff!

Oh boy. Now he’s going off on a total rant about the TOS not allowing people to promote “hacking and cracking.” So, if

you wanted to use Google Adsense to promote, say, HackADay, they wouldn’t let you. Cry me a river man, it’s a business

and they have liability issues.

aw0 Stank points out that Google hosts a hacking event, uses open

source (created by hackers), and has a hacking language translator. Even with all this hacker ethos in their company he

finds it”wait for it”hypocritical that you can’t have the word hacking or hack in your advertisement. This seems to be

the whole point of the panel right now. Google pissed him off and dissed hackers therefore he is going to show them.


The rant continues as he explains how he changed “hacking” in his Google Adwords advertisement to security and they

OKed the advertisement. I’m sorry, is this some major revelation? He explains that he would change it back to hacking

and three days later they would tell him to change it”but he had it up for three days! Yawn. This is beyond childish,

but worse it’s boring! Give us some hacks dude!

25 minutes into the panel and I’ve gotten zero value out of this except maybe losing 5 pounds of water weight on line

before getting in. Ugh.

OK, now he has found one tiny loophole in Google Adwords. If Google bans you from using certain keywords for ads that

it has slowed down or turned off for TOS reasons you can delete the advertisement and keywords then cut and paste them

back in. This is of little value since you’re only going to get caught again in a day or two later. I guess a game of

cat and mouse with the biggest Internet company in the world is fun for this guy, but I don’t think he releases that he

is a fly punching the bottom of the elephants toe. It’s pointless”give us some hacks!

Oh boy, here’s another gem: You can also click you competitors ads to screw them! Well duh?!?! 30 minutes into

this presentation and we’ve learned little. I’m getting frustrated”I could tell you more about Google Adwords.

OK, now we’ve got his first decent tip (not a hack, but a tiny tip): if you misspell keywords you can buy traffic for

a fraction cost. Turns out mesothelioma is a $40 keyword (it’s the cancer you get from asbestos exposure, and the

keyword draws the class actions lawyers are looking for clients). If you misspell the word you can get essentially the

same keyword for five cents (or $39.95 cheaper). Of course, there is a limit to how well this will work since there

might not be that many people who misspell the word. Also, most of the people who misspell a word will click the “Did

you mean this…” link from Google and not even get to the Adwords. So, again, this is not a hack, but a little


aw1 Now we’re going down the secret double agent rabit hole:

Stankdawg says you could buy a huge keyword search word like “thisisamessagefordefconattendees” and you put a secret

message against the keywords knowing that not many people”if any”would ever put that search term in. He speculated that

some folks might be doing this already”maybe even the “t word” (terrorists).

Uhhh… yeah, right. Osama is passing secret messages by signing up for a Google Adwords account”WITH HIS CREDIT CARD”in

order to pass secret messages. I don’t think so.

He’s droning on that if you use stegnaogrpahy (hiding messages in a package, typically in images) you could put a

hidden message in a banner ad. Again, this is kind of dumb since in order to do this you need to signup for an account

with Google Adsense. You could do this a lot easier”and without giving a credit card”by starting a blogger.com


One exploit that has some merit is the “display URL” field in Google Adwords. When you’re creating an advertisement it

lets you put in a nice clean URL for display (say www.paypal.com) instead of the domain name that you actually link to

(i.e. http://secure.paypal.com/newuseraccount/!@#$^^$%^$#%/). Google does this so you can have a pretty domain name in

the ad as opposed to a really long ugly one designed to do things like track performance. Standdawg explained that you

could do some phishing with this. This is sort of

aw2a big loophole for Google AdWords, for example you could put up an

advertisement for Paypal and put www.paypal.com as your displayed link, but your hidden link would send folks to

www.systempaypal.com (i.e. a honeypot domain) and make it look like the PayPal site in order to capture


This could have a been a great panel, but it didn’t include any hacks! It was basically Google AdWords 101 + a couple

of hacker rants. Some hacks I would have like to have seen:

– A tool that checks the cost of a certain set of keywords every day, what they are going for, and who’s buying them.

Then tracks the changes and trends. So, you could track the key word Treo 650 and see which sites came up for that

keyword over 100 days and how much it cost to get each of the different positions.

– A hack/process of buying obscure keywords on Google Adwords that you know will come up on Google AdWords (the

publisher side) and compares what the publisher got paid and what the Google Adwords marketer paid in order to see what

percentage Google is giving to publishers (note: Google does not disclose this number).

– A hack/program that links Google Suggests to the price of keywords on Adwords. So, I could give you 100 words and

then you would pull the top 20 Google Suggest terms and give you an Excel report that shows which of the suggestions is

the best deal.