This post is also available in: עברית (Hebrew)
Some users found that when they try to reach a popular website through Google, they click on the ad at the top of the page with a seemingly official URL, only to be redirected to a malicious website and find their device infected. It seems that some malicious actors found a way to trick and bypass Google’s bots, and are inserting poisoned content to the ads heading the official search results page.
You might ask yourself- how does Google allow this to happen? Shouldn’t there be safeguards against allowing ads that link to phishing sites? But it turns out that it’s a little more nuanced than that. According to Cybernews, while anyone can pay for an ad to be at the top of the search results, some scammers seem to have found a way to bypass security checks by looking out for and tricking Google’s trackers.
Security researchers at Malwarebytes Labs found that such malicious actors detect when the Google trackers visit their website, in which case they redirect them to the actual website, so the trackers see the ad as legitimate and approve it. However, when a normal user visits the website, they are redirected to the phishing site.
The researchers stated: “Such malvertising attacks are not new, and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware.”
The researchers emphasize that all the malicious actors need to bypass Google’s security measures is the ability to distinguish real humans from bots or crawlers (which can be done by looking at factors like IP address, browser fingerprinting, and more). They then show the bots something legitimate, and real users – a fraudulent website.
When it comes to solving this issue, researchers theorize Google could differentiate a legitimate affiliate by a number of data points about the advertiser, like user profile, payment method, budget, and mostly the ad itself. Then it could check things like the vanity URL, display text, tracking template, and final URL.
Malwarebytes concludes that although users aren’t solely responsible for checking who the advertiser they see is, they should beware of sponsored results, block ads altogether, and learn to recognize scam pages.