Google Ads/AdWords Campaigns Rejected due to Malicious or Unwanted Software

 

Recently, users of the platform have been receiving sporadic notices that sometimes websites are being rejected by Google Ads a having malware on the website. We are currently trying to work with Google to find and fix the issue, but it has continued to persist for a while.

Not every website is affected by this issue, and in fact, most are approved instantly. We currently believe that Google reporting these websites as containing malware is a false positive from Google’s checks. We have investigated the issue deeply and can find no code or intent of our websites that show they have malware or malicious intent on them. We are working with the Google Ads team to get a deeper understanding of the issue to solve it for good.

What Happens

When setting up a new Google Ads / AdWords campaign, Google does a scan of the website to ensure the quality of the website and ensure that website visitors will not be harmed by going to the site. As part of these checks, Google is also checking if they think any part of the website is malicious. They will often return a list of files within the website they consider to be malicious. Here’s an example of what that will look like:  

https://www.example.com/

https://www.example.com/_dm/s/rt/css/runtime-ie-11-fix.css?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/dist/css/css-font-package.min.css?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/dist/css/d-css-foundation.min.css?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/dist/css/d-css-runtime-desktop-one-package-new.min.css?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/dist/scripts/d-js-one-runtime-layouts-desktop.min.js?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/dist/scripts/d-js-one-runtime-layouts-package.min.js?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/dist/scripts/d-js-runtime-one-package.min.js?version=2019-03-27T08_50_11

https://www.example.com/_dm/s/rt/scripts/vendor/photoswipe4/icons/default-skin.png

How to fix the issue

The only solution we’ve found to fix the issue is to have Google manually approve the campaign by contacting the Google Ads Support Team. Here’s a message that you can send to Google Ads Support to help them understand the issue and hopefully get the new campaign approved quickly:

 

Hi Google,

 

I currently have a campaign that is being rejected due to malware being detected by your system. The campaign ID is: xxx_xxx_xxx. I have checked with my website builder platform and they assured me there is no malicious code or content on the website. In fact, they let me know me that some other of their other customers had the same issue.

We have experienced this issue before with websites that have live and active Ads campaigns, with a nearly identical code base that are not reported as Malicious by your checks. They believe the report here is a false positive from your system. 

We please ask that you escalate this issue internally to the right team who can approve the campaign or give further details about what is exactly malicious on the website.

 

Note: One important part of the message here is that Google escalates the issue internally -- as we’ve found that the first level of support is unable to assist and will respond with a generic message about fixing the files that are reported as malicious.

 

What are Malware or Malicious websites?

On the web, there are many bad actors who might build or infect websites specifically to get website visitors to take some action that could harm them or their computer. Broadly speaking, there are two categories of malicious websites: 

Intentionally malicious websites are specifically crafted to trick visitors into downloading viruses or other malicious software, giving up sensitive personal information, or collecting financial information such as credit card numbers. These are often impersonating an existing business or brand to trick users into taking some action.

Un-intentionally malicious websites are ones that become compromised after they are built. They become compromised usually through some vulnerability in the software or code that was used to build the website. A common example of this is through plugins added to WordPress. (Here’s a recent example from the popular WordPress Multi-site plugin.)

For the issue where Google Ads is rejecting a specific website, most of the time these fall into the unintentional category, as you’d only want to pay for advertising for a legitimate website.

 

How does Malware get on Websites?

The web is an open and wild place. There many different ways to build websites, but here are a few common problems of how normal websites become compromised:

    • Code Libraries become compromised: When building websites, it is common to use libraries to speed up development. Some common examples of this are jQuery (and any jQuery plugins that implement image sliders, fancy transitions, tabs, date pickers, etc..), Bootstrap, React, etc.. (Note: We’re not saying these tools/libraries are insecure by nature)

      Sometimes where these code libraries are hosted & saved can become compromised or hacked.  When this happens, the hacker can insert malicious code on every website that uses the same installation.

      This could also happen through any type of embed from a 3rd party service that is installed on a website as well.
  • The web platform is hacked: This happens when the core software that powers a website becomes compromised. This is common for open sourced platforms like WordPress, Drupal and Joomla. (It happens even more frequently for the plugins or templates built by 3rd parties to enhance those tools.)

    This can also happen to proprietary software as well but is usually fixed much faster due to the nature of how those systems get updates & new deploys.