Google is Again Hosting and Handling Advertising for Website that is Publishing Purported Leaked Credit Card Info

Last week we noted that Google was hosting and handling advertising for the website leakeddata.me, which publishes purported leaked credit card info as well as other types of confidential data. Then on Monday we noted how we had run across another related website, leakeddata.net, but that leakeddata.me appeared to have been taken down by then. Here is what you got when you visited leakeddata.me at that time:

By contrast here is what you get now:

So the website is again being served from Google’s Blogger service with advertising being handled through Google’s AdSense service. The newest entries are of purported username/passwords for several different web services (as shown in the screenshot) and below that are ones for credit card info.

Another Website That Google is Hosting and Handling Advertising for is Publishing Purported Leaked Credit Card Info

Last week we discussed how we found that a website that Google was serving ads for our website was publishing purported leaked credit card info and that the website was also hosted through Google’s blogger service. That seemed to spur action from Google as here is what you get when you visit the address of the website, leakeddata.me, now:

Also since then, our ads were being served on a nearly identical website, leakeddata.net, that looks to be run by the same people as the first website.

The title of the website is “Leaked Data | Exploited and Leaked Information | (UPDATED Daily)” and the subtitle is “Hack Credit Card | Visa | MasterCard | SSN | Amazon | Email Address | MYSQL Database | IP Address | ( HACKED | LEAKED | EXPLOITED )”.

Here is how the homepage of the website currently looks, with portion of the page with ads served by Google bordered in blue:

Like the first website, this website is hosted through Google’s Blogger service.

It looks like this website has been showing purported leaked credit card info since November of 2014.

Google is Hosting and Handling Advertising for Website that is Publishing Purported Leaked Credit Card Info

A month ago we noted that Google’s AdSense program was handling the advertising for a number of websites serving “nulled” web software, which is paid web software being distributed illegal, with at least one of those serving up malicious code with the “nulled” web software. We reported a number of the websites to Google as they are violating policies of the AdSense program, but they are still running ads served by Google.

Part of how we became aware of that was that advertising we were running through Google’s AdWords program was being shown on some of those websites. Today we noticed that our advertising has recently been running on an even more troubling website, leakeddata.me.

The title of the website is “Leaked Data | Exploited and Leaked Information | (UPDATED Daily)” and the subtitle is “| Hack Credit Card | Visa | MasterCard | SSN | Amazon | Email Address | MYSQL Database | IP Address | ( HACKED | LEAKED | EXPLOITED )”. The homepage of the website currently shows the details of seven purported leaked credit cards, with the data shown including the credit card number, CVV number, name of credit card holder, and their address.

The top of the homepage of the website has multiple blocks of Google served advertising (bordered in blue):

When we went to see where the website was being hosted we were surprised to find it was Google. The IP address the website is hosted from is 216.239.36.21, for which the host name is any-in-2415.1e100.net. As Google explains “1e100.net is a Google-owned domain name used to identify the servers in our network.”. At that point we noticed that the website is being hosted through Google’s Blogger service.

It would seem that neither the Blogger nor AdSense service do any sort of proactive monitoring looking for credit card info being show on pages using the services, which seems to be something they could be doing.

It looks like the website has been showing leaked info since December of 2014.

We wanted to report this to the Blogger service, but they don’t have an option if you want to report someone else’s private information is being posted, only your own.

Google Handling Advertising For Website Serving “Nulled” WordPress Themes and Plugins With Malicious Code

Recently Google has been deciding to show ads for one of our services on websites serving “nulled” web software, which is paid web software being distributed illegal, possibly with security measures removed from it. That isn’t something we are interested in having our ads run on and we have excluded those websites from showing our ads. Today while looking into a hacked WordPress website that we were contacted about, we noticed that Google is handling the advertising for another such website, dlwordpress.com, where “nulled” WordPress themes and plugins are being distributed with malicious code in them.

At the top of the homepage are two ad blocks being served by Google (bordered in red):

The website (and the others that had included our ads) seems to pretty clearly be in violation of Google’s AdSense programs policy related to copyright material:

AdSense publishers may not display Google ads on pages with content protected by copyright law unless they have the necessary legal rights to display that content. This includes pages that display copyrighted material, pages hosting copyrighted files, or pages that provide links driving traffic to pages that contain copyrighted material.

The malicious code being reported to be served with the software at that website would seem to cause the website to violate a couple of their content guidelines as well:

It doesn’t seem like it would be hard for Google to detect that these websites are engaged in the activity they are, so it seems if they didn’t want them to be in their advertising program they already could be excluded. We have been reporting the ones that have been showing our ads, though.

dlwordpress.com Warns About Similar Websites Distributing Files Containing Viruses

While the website prominently links to a page for filing DMCA takedowns for copyrighted content on the website, the website is promoting that it actually is involved in placing such content on their website, which would seem to remove the safe harbor protection that DMCA provides for websites:

For your money, we'll buy new wordpress themes.

While a WordPress theme’s (or a plugin’s) code would need to be licensed under the GPL and therefore can be legally distributed to others after being purchased, other assets included with them would not.

On the “Submit Your Theme or Plugin” page, they pretty clearly are requesting content that they know wouldn’t be legal for them to distribute. But more striking is that they ask people submitting themes and plugins to not submit them from other similar sites because they “can share files with viruses”:

Here you can send your nulled themes and plugins. Please do not send files from another sites! Another sites can share files with viruses. Share only from themeforest or codecanyon!

Cloudflare Too

Google isn’t the only legitimate company involved with this website, as when we went to check to see where the website’s server was located we found that it is being served through Cloudflare.

A couple of months ago we found them doing the same for a website being used as part of a hack to compromise credit card credentials.