I received an email this morning purporting I was the main actor in an embarrassing video online. The email — obvious spam to anyone tech savvy — insisted I take a look.

The sender was Bale Garnock. I don’t know a Bale, but from his (her?) email address, I could tell he was legit: myoshida AT ws.ipc.fit.ac.jp. (Please, if this is anyone’s email address, let me know!) I mean, c’mon: Who takes the time to alert others of embarrassing videos they star in? This guy must be my friend.

His email only contained one line of text, which got my attention. It said “Take a look at yourself ”, all of which was linked to this address:

http://www.google.com/pagead/iclk?sa=l&ai=YJsnJu
&num=85998&adurl=http://scramignon.com/video.exe

Being as cavalier as I am, I decided to click it. What came up (unsurprisingly, of course) was a “video” I was asked to download. No website. No ads. Just a video.

Before actually looking at it — Hey, it’s a video of me right? — I noticed the link pointed to http://www.google.com/… Wow. I was pretty surprised.

From what I can tell, it seems a spammer was able to peddle their “video” through Google’s servers by simply editing a Google ad’s query string. (Look. I can do it too: &num=85998&adurl=http://scramignon.com/video.exe

Being as cavalier as I am, I decided to click it. What came up (unsurprisingly, of course) was a “video” I was asked to download. No website. No ads. Just a video.

Before actually looking at it — Hey, it’s a video of me right? — I noticed the link pointed to http://www.google.com/… Wow. I was pretty surprised.

From what I can tell, it seems a spammer was able to peddle their “video” through Google’s servers by simply editing a Google ad’s query string. (Look. I can do it too:

'Phishing' occurs when an unauthorized party claims to be a representative
of a legitimate organization in an attempt to trick the recipient into
disclosing important personal information like passwords or bank account
numbers.

Remember, Google will never send unsolicited mass messages asking for your
password or personal information, or messages containing executable
attachments. If you ever receive one of these messages, we strongly advise
you not to view it, and to delete it immediately.

Keeping our users safe from phishing is something we take very seriously.
To help us stop phishing attacks, we ask that you report any suspicious
messages or websites to Google at phishing@google.com

We appreciate your assistance in keeping Google users safe.

Sincerely,

Andrew B.
The Google AdWords Team