The Rising Threat of Search Engine Ad Abuse
by Sumit Bansal, VP, Asia Pacific & Japan, BlueVoyant
A new report from BlueVoyant finds that threat actors are using the ad infrastructure built into search engines to their advantage to phish unsuspecting users. The use of malicious search engine ads is on the rise and poses a significant threat to internet users and companies worldwide. Instead of a link from an ad leading you to your bank’s login page, it can instead lead to a phishing website or malware download — risking personal, financial, and corporate information.
So, What Are Search Engine Ads?
Search engines like Google, Bing, and Yahoo, with their easy-to-use interfaces and vast user bases, allow users to easily and efficiently find things online. Given their wide acceptance, it was only a matter of time before they became a target for cybercriminals.
Most search engines allow advertisers to promote their websites by displaying paid ads in the user’s search results. Using simple, self-service, and readily available advertising tools, advertisers can pinpoint and reach their unique target audience based on multiple criteria, making their ads more effective and profitable.
Most ads appear at the top of the search results, above the organic results, and are annotated as an advertisement. Typically, search engine advertisements consist of a title, description, and a link to the advertised website.
Search engines have long been trusted, so users have historically had little reason to doubt the ads they see.
How Does this Kind of Phishing Work?
These fraudulent search engine ads are designed to appear benign, therefore making them an effective phishing distribution mechanism. When an unsuspecting user types into the search engine their financial institution’s name and “login,” or something similar, the ad they see may lead them to a fake login. These fake websites can be used to steal their login credentials, which could be reused for other accounts, including corporate ones, or to download malware.
We have observed that when setting up a malicious ad campaign, threat actors utilise the various customisation options available for advertisers. The settings allow them to display the ads only to specific users who meet predefined criteria, targeting the most vulnerable and profitable victim profiles while helping to evade detection.
To further avoid detection, threat actors employ unique session cookies for users redirected to the site from the ad. This makes it difficult for bots or security vendors to detect the phishing content. In addition, the phishing ads often link to lookalike domains of the impersonated brand, adding another layer of deception.
To execute these malicious ad campaigns, threat actors typically acquire compromised ad accounts from deep and dark web communities. They then craft tailor-made ad campaigns, register phishing websites, and implement additional evasion mechanisms before launching the ad campaign.
How Can You Protect Your Company and its Reputation?
We recommend that enterprises, especially financial institutions, monitor for suspicious search engine ads possibly impersonating the company’s brand, using various search keywords, user agents, and geolocations, in multiple search engines.
Organisations should also report all fraudulent websites and associated ads. Enterprises should also raise awareness about the dangers of search engine ads among clients and employees and advise them to bookmark legitimate websites. Organisations should consider working with a Digital Risk Protection vendor with ad detection and analysis capabilities to proactively detect and take down malicious search engine ads and their related phishing websites.