Home SEO News Targeted ads are a cybersecurity risk

Targeted ads are a cybersecurity risk

Dec 05, 2023 0 Comments
Targeted ads are a cybersecurity risk

Blocking targeted ads is justified. Malvertising is alive and well and poses too great a risk for the end user to ignore.

For your security (and privacy), you should block ads by default. Here’s why.

Malvertising is malicious advertising. Incorrect advertising is intentionally distributed malware and facilitates scams/phishing. There are many ways to do malicious advertising; Common examples of malicious advertising include malicious search ads, malicious social media ads, and other malicious targeted ads displayed on websites.


a gray browser alert that reads

Malvertising does not rely solely on user interaction to download malicious scripts. Malicious scripts can be downloaded and executed on users’ devices without explicit user consent or interaction. These scripts can in turn call second-stage malware and are commonly known as drive-by downloads.

Perhaps the most dangerous part of malvertising is that it can appear on any ad on any website, including very popular and well-known websites. This can happen without the website itself being directly compromised, especially if third parties are used to serve third-party ads. Incorrect advertising can also occur on websites that manage and run their own “proprietary” advertising platforms, such as many mainstream social media platforms such as Instagram and TikTok.

In recent years there has been a noticeable increase incorrect search engine advertising. So much so that in December 2022, the The FBI released a public service announcement warning the public about threat actors who abuse search ads to deliver malware, ransomware, and steal sensitive information such as login credentials.


screenshot of FBI PSA website header

Given Google’s dominance of search and the associated advertising space, threat actors (the bad guys) abuse the ecosystem regularly as it offers maximum exposure performance. For similar reasons, Bing Ads also sees its fair share of abuse, but due to market share we can assume the prevalence is lower – there is more return on investment with Google Search Ads abuse.

Abusing these ecosystems ultimately means that a large audience will see these malicious ads, increasing the likelihood that someone will click on them. The more people click on it, the more people will be redirected to the phishing/malicious site.

Brief overview

Search engine advertising is relatively simple on the surface, although there are many nuances that I won’t go into here.

Advertisers can show their ad, usually a bid for a keyword, near the “organic” results. Typically, the advertiser pays the platform for each click on their search engine ad. The more in demand or popular the keyword, the higher the cost per click (CPC).

In a non-malicious scenario, users are directed to the advertiser’s website/property after clicking on the ad. For example, you search for “cyber security” and I bid on that word as an advertiser. You see my ad, click on it and then you will be redirected to my website.


a smartphone that displays the Google Ads logo at the top of a computer keyboard

But what if the advertiser is a threat actor or malicious? Well, once clicked, users are usually directed to a malicious domain that can drop malware or trick users into divulging sensitive information. Except it’s not as simple as directing users to a malicious site right away.

In many cases, the threat actors use camouflage techniqueslinking users to a “benign” website before redirection to the real phishing/malicious domain. Hovering over the link won’t necessarily work to point you to a malicious domain, your browser’s “safe browsing” may not have that first “benign” domain on its “bad list” and its algorithms Google detection cannot explicitly detect the malicious domain to which unsuspecting users are sent.

threat actors abusing the Google Ads search engine ad model

Threat actors who use obfuscation to hide their malicious sites in the Google Ads stream
Source: Guardian Labs

This pervasive and ever-growing problem of fraudulent search ads is a multifaceted problem with many moving parts, but we can break it down into:

Paid ads/”sponsored” ads are at the top of the search results page. Constantly evolving methods to circumvent existing controls (even if they are missing) Lack of ad selection controls/policies

These factors feed into each other and are not necessarily a linear cause-and-effect relationship. Other factors, such as user privacy considerations and platform algorithms, also play a role.

Sponsored ads for search engine keywords are generally placed at the top of search results pages, ahead of “real” or “organic” results.

This is a problem because there is overwhelming evidence this approximately 28% of users click on the first search result on the search results page. Therefore, if a malicious ad is at the top of the sponsored results section, or even just above the organic results, there is a much higher chance that an unsuspecting user will click on it.

For example, when you use Google Search for the keyword “ransomware”, these are the sponsored/paid results:


paid google search ads for keyword ransomware

These are the organic results of the same search for the same keyword on the same page. Notice how official government sources such as CISA (US) and NCSC (UK) are below the paid results:


organic google search results for keyword ransomware

In fact, “organic results” were below paid ads, the summary definition of “ransomware,” and Twitter/X posts containing the word “ransomware.”

Search Engine Optimization (SEO) is an entire industry dedicated to using “best practices” to rank higher on search engine results pages to increase traffic.

Search ad or result?

Another issue is sponsored/paid ads Search results pages seem to blend in surprisingly well with organic results, especially at first glance. Paid search ads that blend seamlessly into organic search results seem to be a trend in recent years.

For example, Google has removed the most “obvious” signs that the result was a paid ad. As of October 2022, Google has done just that completely removed “Ad” from mobile paid search ads, replacing “Ad” with… “Sponsored”.

Google doesn’t help either was constantly changing the look and feel of paid ads in search results over the years. In general, paid ads/sponsored results on Google Search look more like real results than ever before.


timeline showing how Google search ads have changed over the years

History of changes to the look and feel of Google search ads
Source: Search Engine Land

So what does this mean? By abusing search ad platforms, there are fraudulent ads that point to malicious websites privileged position for user display and interaction. Remember that many users tend to click on the first search result, and from paid search…

*** This is a syndicated blog of the Security Bloggers Network of Avoid The Hack! written by Avoid The Hack!. Read the original post at:

[ad_2]

Source link

You May Also Like

Las Vegas SEO Co Announces Premier SEO Consultancy Services

Las Vegas SEO Co announces first SEO consulting services

Small seo tools plagiarism checker

Get the highest rank with a small online SEO tool

Local Marketing

The importance of local marketing for home service businesses

MAKE AN IMPACT WITH ADVANCED GENERATIVE ENGINE OPTIMIZATION

Google's advice on fixing broken links for SEO

Google’s unconventional tips for fixing broken backlinks

All the SEO Secrets: The CEO's Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

All the SEO Secrets: The CEO’s Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

About the Author: Ted Simmons

I follow and report the current news trends on Google news.

Leave a Reply

Your email address will not be published. Required fields are marked *