{"id":18791,"date":"2023-12-05T09:09:03","date_gmt":"2023-12-05T09:09:03","guid":{"rendered":"https:\/\/afreeurl.com\/?p=18791"},"modified":"2023-12-05T09:09:05","modified_gmt":"2023-12-05T09:09:05","slug":"targeted-ads-are-a-cybersecurity-risk","status":"publish","type":"post","link":"https:\/\/afreeurl.com\/?p=18791","title":{"rendered":"Targeted ads are a cybersecurity risk"},"content":{"rendered":"<p><\/p>\n<p>Blocking targeted ads is justified.  Malvertising is alive and well and poses too great a risk for the end user to ignore.<\/p>\n<p>For your security (and privacy), you should block ads by default.  Here&#8217;s why.<\/p>\n<p>Malvertising is malicious advertising.  Incorrect advertising is intentionally distributed <strong>malware<\/strong> and facilitates <strong>scams\/phishing<\/strong>.  There are many ways to do malicious advertising;  Common examples of malicious advertising include malicious search ads, malicious social media ads, and other malicious targeted ads displayed on websites.<\/p>\n<p><a rel=\"lightbox noopener\" href=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/virus-alert.jpg\" target=\"_blank\"><br \/><img decoding=\"async\" loading=\"lazy\" alt=\"a gray browser alert that reads \"virus alert! warning! threat detected! a malicious item has been detected!\"\" src=\"https:\/\/avoidthehack.com\/images\/v\/i\/r\/u\/s\/virus-alert-60794195.jpg\" width=\"300\" height=\"231\"\/><\/a><\/p>\n<p>Malvertising does not rely solely on user interaction to download malicious scripts.  Malicious scripts can be downloaded and executed on users&#8217; devices without explicit user consent or interaction.  These scripts can in turn call second-stage malware and are commonly known as drive-by downloads.<\/p>\n<p>Perhaps the most dangerous part of malvertising is that it can appear on any ad on any website, including very popular and well-known websites.  This can happen without the website itself being directly compromised, especially if third parties are used to serve third-party ads.  Incorrect advertising can also occur on websites that manage and run their own &#8220;proprietary&#8221; advertising platforms, such as many mainstream social media platforms such as Instagram and TikTok.<\/p>\n<p>In recent years there has been a noticeable increase <strong>incorrect search engine advertising<\/strong>.  So much so that in December 2022, the <a href=\"https:\/\/www.ic3.gov\/Media\/Y2022\/PSA221221?=8324278624\" rel=\"noopener noreferrer\" class=\"external-link no-image\" target=\"_blank\">The FBI released a public service announcement<\/a> warning the public about threat actors who abuse search ads to deliver malware, ransomware, and steal sensitive information such as login credentials.<\/p>\n<p><a rel=\"lightbox noopener\" href=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/fbi-psa.png\" target=\"_blank\"><br \/><img decoding=\"async\" loading=\"lazy\" alt=\"screenshot of FBI PSA website header\" src=\"https:\/\/avoidthehack.com\/images\/f\/b\/i\/-\/p\/fbi-psa-8885a59d.png\" width=\"400\" height=\"135\"\/><\/a><\/p>\n<p>Given Google&#8217;s dominance of search and the associated advertising space, threat actors (the bad guys) <strong>abuse the ecosystem regularly<\/strong> as it offers maximum exposure performance.  For similar reasons, Bing Ads also sees its fair share of abuse, but due to market share we can assume the prevalence is lower \u2013 there is more return on investment with Google Search Ads abuse. <\/p>\n<p>Abusing these ecosystems ultimately means that a large audience will see these malicious ads, increasing the likelihood that someone will click on them.  The more people click on it, the more people will be redirected to the phishing\/malicious site.<\/p>\n<p><span style=\"font-size: 24px;\">Brief overview<\/span><\/p>\n<p>Search engine advertising is relatively simple on the surface, although there are many nuances that I won&#8217;t go into here.<\/p>\n<p>Advertisers can show their ad, usually a bid for a keyword, near the &#8220;organic&#8221; results.  Typically, the advertiser pays the platform for each click on their search engine ad.  The more in demand or popular the keyword, the higher the cost per click (CPC).<\/p>\n<p>In a non-malicious scenario, users are directed to the advertiser&#8217;s website\/property after clicking on the ad.  For example, you search for &#8220;cyber security&#8221; and I bid on that word as an advertiser.  You see my ad, click on it and then you will be redirected to my website.<\/p>\n<p><a rel=\"lightbox noopener\" href=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/google-ads.jpg\" target=\"_blank\"><br \/><img decoding=\"async\" loading=\"lazy\" alt=\"a smartphone that displays the Google Ads logo at the top of a computer keyboard\" src=\"https:\/\/avoidthehack.com\/images\/g\/o\/o\/g\/l\/google-ads-4d3a1562.jpg\" width=\"300\" height=\"187\"\/><\/a><\/p>\n<p><strong>But what if the advertiser is a threat actor or malicious?<\/strong> Well, once clicked, users are usually directed to a malicious domain that can drop malware or trick users into divulging sensitive information.  Except it&#8217;s not as simple as directing users to a malicious site right away. <\/p>\n<p>In many cases, the threat actors <a href=\"https:\/\/labs.guard.io\/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\" rel=\"noopener noreferrer\" class=\"external-link no-image\" target=\"_blank\">use camouflage techniques<\/a>linking users to a &#8220;benign&#8221; website before <strong>redirection<\/strong> to the real phishing\/malicious domain.  Hovering over the link won&#8217;t necessarily work to point you to a malicious domain, your browser&#8217;s &#8220;safe browsing&#8221; may not have that first &#8220;benign&#8221; domain on its &#8220;bad list&#8221; and its algorithms Google detection cannot explicitly detect the malicious domain to which unsuspecting users are sent.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" alt=\"threat actors abusing the Google Ads search engine ad model\" src=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/masquerading.webp\" width=\"720\" height=\"272\"\/><\/p>\n<p>Threat actors who use obfuscation to hide their malicious sites in the Google Ads stream<br \/>Source: Guardian Labs<\/p>\n<p>This pervasive and ever-growing problem of fraudulent search ads is a multifaceted problem with many moving parts, but we can break it down into:<\/p>\n<p>Paid ads\/&#8221;sponsored&#8221; ads are at the top of the search results page.  Constantly evolving methods to circumvent existing controls (even if they are missing) Lack of ad selection controls\/policies<\/p>\n<p>These factors feed into each other and are not necessarily a linear cause-and-effect relationship.  Other factors, such as user privacy considerations and platform algorithms, also play a role.<\/p>\n<p>Sponsored ads for search engine keywords are generally placed at the top of search results pages, ahead of &#8220;real&#8221; or &#8220;organic&#8221; results.<\/p>\n<p>This is a problem because there is <strong>overwhelming evidence<\/strong> this <a href=\"https:\/\/www.sistrix.com\/blog\/why-almost-everything-you-knew-about-google-ctr-is-no-longer-valid\/\" rel=\"noopener noreferrer\" class=\"external-link no-image\" target=\"_blank\">approximately 28% of users click on the first search result<\/a> on the search results page.  Therefore, if a malicious ad is at the top of the sponsored results section, or even just above the organic results, there is a much higher chance that an unsuspecting user will click on it.<\/p>\n<p>For example, when you use Google Search for the keyword &#8220;ransomware&#8221;, these are the sponsored\/paid results:<\/p>\n<p><a rel=\"lightbox noopener\" href=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/ransomware-ads.png\" target=\"_blank\"><br \/><img decoding=\"async\" loading=\"lazy\" alt=\"paid google search ads for keyword ransomware\" src=\"https:\/\/avoidthehack.com\/images\/r\/a\/n\/s\/o\/ransomware-ads-d7a1dc86.png\" width=\"400\" height=\"491\"\/><\/a><\/p>\n<p>These are the organic results of the same search for the same keyword on the same page.  Notice how official government sources such as CISA (US) and NCSC (UK) are below the paid results:<\/p>\n<p><a rel=\"lightbox noopener\" href=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/ransomware-results.png\" target=\"_blank\"><br \/><img decoding=\"async\" loading=\"lazy\" alt=\"organic google search results for keyword ransomware\" src=\"https:\/\/avoidthehack.com\/images\/r\/a\/n\/s\/o\/ransomware-results-e05206a4.png\" width=\"400\" height=\"374\"\/><\/a><\/p>\n<p>In fact, &#8220;organic results&#8221; were below paid ads, the summary definition of &#8220;ransomware,&#8221; and Twitter\/X posts containing the word &#8220;ransomware.&#8221;<\/p>\n<p class=\"\u201dalert alert-info\">Search Engine Optimization (SEO) is an entire industry dedicated to using &#8220;best practices&#8221; to rank higher on search engine results pages to increase traffic.<\/p>\n<p><span style=\"font-size: 24px;\">Search ad or result?<\/span><\/p>\n<p>Another issue is <strong>sponsored\/paid ads<\/strong> Search results pages seem to blend in surprisingly well with organic results, especially at first glance.  Paid search ads that blend seamlessly into organic search results seem to be a trend in recent years.<\/p>\n<p>For example, Google has removed the most &#8220;obvious&#8221; signs that the result was a paid ad.  As of October 2022, Google has done just that <a href=\"https:\/\/blog.google\/products\/search\/identify-information-sources\/\" rel=\"noopener noreferrer\" class=\"external-link no-image\" target=\"_blank\">completely removed &#8220;Ad&#8221; from mobile paid search ads,<\/a> replacing &#8220;Ad&#8221; with&#8230; &#8220;Sponsored&#8221;.<\/p>\n<p>Google doesn&#8217;t help either <a href=\"https:\/\/searchengineland.com\/search-ad-labeling-history-google-bing-254332\" rel=\"noopener noreferrer\" class=\"external-link no-image\" target=\"_blank\">was constantly changing the look and feel of paid ads<\/a> in search results over the years.  In general, paid ads\/sponsored results on Google Search look more like real results than ever before.<\/p>\n<p><a rel=\"lightbox noopener\" href=\"https:\/\/avoidthehack.com\/user\/pages\/home\/ads-cybersecurity-risk\/googleads-timeline.png\" target=\"_blank\"><br \/><img decoding=\"async\" loading=\"lazy\" alt=\"timeline showing how Google search ads have changed over the years\" src=\"https:\/\/avoidthehack.com\/images\/g\/o\/o\/g\/l\/googleads-timeline-ec408249.png\" width=\"500\" height=\"800\"\/><\/a><\/p>\n<p>History of changes to the look and feel of Google search ads<br \/>Source: Search Engine Land<\/p>\n<p>So what does this mean?  By abusing search ad platforms, there are fraudulent ads that point to malicious websites <strong>privileged position<\/strong> for user display and interaction.  Remember that many users tend to click on the first search result, and from paid search\u2026<\/p>\n<p class=\"syndicated-attribution\">*** This is a syndicated blog of the Security Bloggers Network of <a href=\"https:\/\/avoidthehack.com\/\" target=\"_blank\" rel=\"noopener\">Avoid The Hack!<\/a> written by Avoid The Hack!.  Read the original post at: <a href=\"\"><\/a> <\/p>\n<p>[ad_2]<br \/>\n<br \/><a href=\"https:\/\/securityboulevard.com\/2023\/12\/targeted-ads-are-a-cybersecurity-risk\/\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Blocking targeted ads is justified. Malvertising is alive and well and poses too great a risk for the end user to ignore. For your security (and privacy), you should block ads by default. Here&#8217;s why. Malvertising is malicious advertising. Incorrect advertising is intentionally distributed malware and facilitates scams\/phishing. There are many ways to do malicious advertising; Common examples of malicious advertising include malicious search ads, malicious social media ads, and other malicious targeted ads displayed&#8230; <\/p>\n","protected":false},"author":1,"featured_media":18792,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-18791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seo-news"],"_links":{"self":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/18791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=18791"}],"version-history":[{"count":1,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/18791\/revisions"}],"predecessor-version":[{"id":18793,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/18791\/revisions\/18793"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/media\/18792"}],"wp:attachment":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=18791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=18791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=18791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}