Scammers bypassing Google ad checks to impersonate real brands


Google seems to have a problem with brand impersonation. For example, some ads on top of the search results bar appear to be the real Facebook but lead to scams, users have found. Malicious actors have found a way to trick Google’s bots.

You open Chrome, type Facebook, and the Google search page opens. You then click on the top result. Instead of the social network, you’re redirected to a malicious website saying that your computer is infected.

Justin Poliachik, a developer and creator on TikTok (@j_poli), shared his experience as he clicked on an ad that had an official Facebook URL and appeared as linking to a standard Facebook login page. The sponsored post appears at the top of search results.

ad-on-google
Image by Malwarebytes.

“I ran into this interesting issue on Google the other day, where I got an ad that was a completely fraudulent phishing site,” he said. “So my first reaction was like, how does Google ever allow this to happen? They should not allow ads to be posted that link to phishing sites. And it turns out it’s a little more nuanced than that.”

While anyone can pay for an ad to be at the top of the search results, Poli suspects that scammers have found a way to bypass security checks by looking out for and tricking Goolge’s trackers.

“If Google’s trackers visit your site, you redirect to Facebook, so Google thinks, hey, it’s good, this is legit. But then, if any normal user comes, you can redirect them to the phishing site instead. And these ads usually don’t last long because they’re usually expensive, and people report them,” Poliachik guessed.

His results were repeated by security researchers at Malwarebytes Labs.

“Such malvertising attacks are not new, and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware,” they said.

real-advertiser
Image by Malwarebytes.

Malvertising campaigns use cloaking

According to researchers, all the malicious actors need is to be able to distinguish real humans from bots or crawlers to bypass Google’s security measures.

“Cloaking allows them to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc. A click-tracking service can be used to analyze traffic, collect data, etc.,” Malwarebytes said. “They can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.”

Scammers can chain redirects to “legitimate” domains they control and, from there, decide the final destination the user lands.

For bots, it may be something legitimate, like the real Facebook. And for real users – a fraudulent website.

Poliachik thinks that Google needs to “use more AI and check the links more often.” However, researchers doubt that would help.

two-paths
Image by Malwarebytes.

“We don’t believe AI is going to fix malvertising, at least not for the next little while,” Malwarebytes said.

Instead, according to them, Google could differentiate a legitimate affiliate by a number of data points about the advertiser, such as user profile, payment method, budget, and, more importantly, the ad itself. Here, it could check things like the vanity URL, display text, tracking template, final URL, and what happens when you click on the ad.

“Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse and yet remains unfixed,” the researchers said.

Unfortunately, most users won’t take the time to check who the advertiser is, and they shouldn’t have to. Users should beware of sponsored results, block ads altogether, and learn to recognize scam pages, Malwarebytes recommends, together with using guard extension.


More from Cybernews:

Cold fusion: a reality in “Fallout,” an unproven controversy in real life

Tesla driver admits he was using Autopilot before fatal accident

TikTok CEO vows to 'prevail' and defeat US restrictions

US Senate passes TikTok divestment-or-ban bill

Ransomware payments surpass $1 billion in 2023, report finds

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked