One in ten shopping ads promoted on Google potentially lead to phishing sites

Updated on: 24 February 2023

Edvardas Mikalauskas
Senior Researcher

Potentially unsafe ads promoted on Google

With the holiday shopping season in full swing, millions of users are hunting for the best deals online. However, many don’t realize that the amazing deal they just found on Google is actually too good to be true.

When you search for something on Google, certain results will be shown in top positions organically because their content is considered relevant or useful. Other results, however, will surface to the top as ads because an advertiser has paid Google to promote them.

Unfortunately, not all Google ads are created by legitimate advertisers. Some are made by cybercriminals. Such ads will lead users to malicious phishing websites where they can be tricked into buying counterfeit or unsafe products, fall victim to financial scams, or worse.

(Image: Potentially untrustworthy counterfeit website promoted on Google)

In light of this, we at CyberNews wanted to see whether Google ads that promote online sales are safe for shoppers to click. To do this, our Investigation team examined 692 Google ads related to Black Friday and Cyber Monday (BF/CM) promotions and analyzed the domains that these ads were promoting. We then assessed the safety of these domains based on three criteria: domain age, blacklist status, and Website Trust Score.

What we discovered was eye-opening: 10% of the Google ads we analyzed potentially lead to malicious phishing websites, where cybercriminals could lure users in order to steal their money and personal data.

You’d think that every single ad you see on Google undergoes a proper security check to ensure it’s not promoting an unsafe website. Sadly, it seems that this isn’t necessarily the case.

About this investigation

In order to carry out this investigation, we searched for 3,000 keywords related to BF/CM sales on Google. From the search results, we gathered a list of the top 692 domains that were actively promoted (i.e. labeled as “ads” and shown on top of the search results pages) via the Google Ads service from November 23 to November 30, 2020.

We then examined their domain age, calculated their Website Trust Score using the APIVoid service, and checked if these domains were listed on any threat databases like URLVir and ThreatLog.

What were we looking at?

To assess whether the domains that promoted BF/CM sales on Google were safe, we looked at three main criteria: domain age, blacklist status, and Website Trust Score.

Domain age

A 2019 study by Palo Alto Networks shows that most newly created domains “are known to be favored by threat actors to launch malicious campaigns.” This is because most malicious websites live for mere weeks, days, or even hours before being reported or detected and taken down by security vendors.

For this reason, we looked at domain age as one of the primary indicators of whether a website is trustworthy. We consider as suspicious and potentially unsafe any website created less than 60 days prior to the Black Friday weekend.

Blacklist status

Domains and IP addresses that have been flagged by security vendors as sources of spam, phishing attacks, or malicious content are usually logged on malicious domain databases, also known as domain blacklists. If a website is listed on one of these threat databases, users either receive warnings about its content, or can no longer directly access the site altogether. Needless to say, being listed on a reputable threat database is a huge red flag.

With that in mind, we ran our list of 692 domains through multiple reputable threat databases such as URLVir, ThreatLog, OpenPhish, and many others to see if any have been blacklisted as malicious.

Website Trust Score

As our final metric, we used one of the most comprehensive domain trust analysis services to gauge whether the domains on our list were safe: the Website Trust Score rating system by APIVoid. The Website Trust Score is calculated based on the results of APIVoid’s numerous domain security checks, including HTTPS support, email configuration, domain location, directory listing, Top Level Domain (TLD) abuse, blacklisting, domain recency, and much more.

In other words, if a website’s Trust Score is low, it’s probably less than reputable.

Note: The exact method of calculating the Website Trust Score is not public because disclosing it would make it far easier for malicious actors to work around APIVoid’s security checks.

What did we find?

Here’s what we found when we analyzed 692 promoted shopping domains for trustworthiness:

As we can see, at least 10% of domains that promoted BF/CA deals on Google in the last week of November can be deemed potentially unsafe, possibly leading users to malicious websites teeming with phishing hooks, malware, or other nasty surprises. Another 10.5%, while relatively trustworthy from a technical standpoint, could nonetheless have (minor) misconfigurations. Even blacklisted websites were found to actively run fake promotions.

This is a surprisingly high percentage of potentially unsafe domains that we did not expect to witness on a platform as prominent as Google.

Admittedly, in rare cases, a domain can be classified as untrustworthy due to unintentional misconfigurations. Nevertheless, a poorly configured website is still a threat to users. And when one in five ads on Google leads to potentially unsafe websites, using the search engine itself can become a dangerous lottery, especially during the shopping season.

Why is this still a problem?

When searching for a product or service on Google, many users simply click the first search result they see. Some don’t even know (or care) whether the actual link they click on is a search result or an ad. This is why phishers are so fond of placing fake ads: the average users’ lack of attention or patience, and Google’s apparent lack of effective security checks, make their work that much easier.

Therefore, we can’t help but place at least some part of the blame for this situation on Google.

Tech giants like Google earn billions from advertising every year. Is putting more resources into preventing cybercriminals from abusing consumers too much to ask?

To avoid cases like this, Google should review threat databases in real-time and prevent bad actors from using its platform to promote malicious websites with impunity. Before that happens, more people will fall for fake ads hiding in plain sight, only to lose their personal data and money to cybercriminals, again and again.

Meanwhile, if you’re an online shopper, here are our basic recommendations for avoiding phishing websites: