SBN

TRENDING: Google Ads as Phishing Hooks: Understanding the Threat and Protecting Your Brand

The FBI said that in 2022, phishing took the top spot as the most reported cybercrime by a wide margin. While scammers using deceptive e-mails and SMS messages to trick victims is nothing new, the FBI has also warned that cybercriminals are impersonating brands using search engine ads to defraud consumers. In these scams, the fake ad’s purpose is tricking consumers into clicking on the ad which takes them to a phishing site where the scammer hopes to trick a visitor into divulging their credentials, identity information, or payment data.

In general people tend to trust search ads and results from Google assuming they go through some sort of vetting. This is a myth. We don’t think Google is doing enough to proactively prevent this fraud occurring on their platform.

In this article we’ll explain the threat, share examples we’ve helped customers mitigate, argue that Google isn’t doing enough to address the issue, as well as, what brands should do in the meantime.

Why have scammers been able to use Google Ads as a tool for Fraud?

Google ads are online advertisements presented to a search engine user based on what they type into the search field. In the image below, you’ll see a number of Google ads displayed for a search of “best electric lawnmower.”

A screen shot of Google search results for “best electric lawnmowers” highlighting the Google ads displayed on the page.

The ads that end up displaying to a Google user is determined by advertisers bidding on certain keywords. In the electric lawnmower example you’ll see ads marked with Greenworks, EGO, Walmart, Lowe’s and Ace Hardware brand names. While Google claims other variables affect which ads are shown when, the highest bids probably have an outsized effect on which ads are displayed.

Interestingly, Google allows people to bid on a brand name as a keyword even if they don’t own the trademark or have affiliation with the brand. For example, you’ll see ads from vendors appear when you search one of their competitors.

While competitors bidding on your brand name can be frustrating, even worse are scammers bidding on your brand name. It’s as if not only is Google happy to pocket the proceeds of a bidding war between you and your competitors, they’re also happy to pocket the greater proceeds resulting from inviting yet another party to that bidding war – scammers!

We want to explode a myth to help both brands and consumers protect themselves – Google isn’t doing as much as you think to make sure that the ads they present on their search engine results are safe or legitimate.

We want to explode a myth to help both brands and consumers protect themselves – Google isn’t doing as much as you think to make sure that the ads they present on their search engine results are safe or legitimate. We know this because we’ve seen multiple examples of Google ads posing as trusted brands but directing anyone that clicks on them to malicious sites set on stealing credentials, payment information, or identity data. 

Scammers have realized that thanks to Google’s trademark policies, they are able to bid on any keywords they want with as much influence over placement as any brand – as long as their pockets are deep enough. 

How Do Scammers Exploit Google Ads for Fraud?

At Allure Security we’ve seen at least two Google Ad abuse scenarios play out.

  • The first is relatively straightforward – a scammer creates an ad impersonating a trusted brand, bids on that brand’s name as a keyword, and then directs a click on that ad to a phishing site.
  • In the second, the scammer puts a bit more work into the scheme in order to evade detection by presenting different content when a Google Click ID is generated.

To start, scammers publish a website at the domain intended to receive the ad’s traffic. If you enter that URL into your browser and visit the site without having clicked on a Google ad, you’ll be greeted with benign content (e.g., content about “thingies” using our example in the image below). 

However, if the Google ad containing the same URL is clicked, a Google Click ID (GCID) is generated and passed through in the URL. The malicious site then recognizes an appended GCID which triggers a redirect to the scam site impersonating the searched brand the visitor searched.

The display of the benign content if the website is visited directly (vs. by clicking on the ad) seems to be enough to circumvent Google’s ad review.

A recreation of an observed Google ad displayed for a search of a financial institution’s brand name which then redirects to a phishing page impersonating that institution.

Hat-tip to Guardio Labs for a great rundown of other examples of  the “MasquerAds” threat that uses the GCID.

Why Can’t Brands Count on Google to Stop Scammers from Impersonating Them in Ads?

In many cases Google won’t restrict (or even investigate) the use of trademarks in keywords. Anybody can bid on your brand name as a keyword – be it a competitor or a fraudster targeting your customer base – it’s all fair play according to Google:

  • “In response to trademark owner complaints, we may restrict the use of trademarks in ad text.”
  • “We don’t investigate or restrict trademarks as keywords”
  • “We may restrict trademarks from appearing in the subdomains of display URLs.”
  • “We don’t investigate or restrict trademarks in the second-level domains or post-domain paths of display URLs.”

This suggests that Google will not stop a scammer from using your brand name in the subdomain, second-level domain, or post-domain path of the URL displayed in their fraudulent ad. They might stop a scammer from using your brand name in a subdomain, but only if you complain about it and you need to see it in the first place in order to report it.

“So it’s up to every business to monitor the impossible to monitor Google ad space. And then to bear the cost of dealing with Google.”

Allure Security CEO Josh Shaul

The advertising industry does have very small margins so perhaps they’ve decided additional vetting isn’t worth the extra cost.

As far as we can tell, Google does next to nothing to proactively address this issue which seems counterintuitive. As more consumers become aware of this attack vector, their trust in and clicks on Google ads will plummet. Google ads will quickly lose value and brands won’t bother using Google ads if consumers don’t trust them.

Now we’re not advocating for Google to implement draconian trademark enforcement actions to stop consumers and others from using brand names they don’t have rights to. But doesn’t it seem reasonable to ask for a bit more due diligence to ensure they’re not letting scammers use trademarks to defraud people that use Google?

The Impact of Fraudsters Abusing Google Ads 

If potential customers looking for your brand engage with a phony sponsored ad and fall victim –  many of them will blame, lose trust in, and ultimately, leave your brand. These ads can cause irreparable reputation damage for brands online. 

As fraudsters continue to bid on keywords relevant to your brand, customer acquisition costs increase with them. Since scammers are both driving up the keyword advertising prices and poisoning the results, the return on digital marketing efforts become less effective as they increase in price. Consumers lose trust in the ads they see and click less frequently. Consumers that do click on a fake ad are directed to a scam website and your opportunity to engage with those prospects is lost.

So, what is a brand to do?

5 tips to mitigate fake online ads targeting your brand and customers

In addition to general online brand protection best practices, take the following steps to mitigate the risk of fraudulent Google ads targeting your brand and customers:

WHAT YOU SHOULD DO NEXT

  1. Contact us right now if you’re bedeviled by scammers impersonating your brand within the Google Ads system and/or want to get ahead of the issue.
  2. Get educated about an expected September surge in fake iOS apps impersonating trusted brands like yours on our blog.
  3. Get free actionable advice for handling parked domains impersonating your brand on our blog.

*** This is a Security Bloggers Network syndicated blog from Allure Security authored by Sam Bakken. Read the original post at: https://alluresecurity.com/2023/04/20/trending-google-ads-as-phishing-hooks-understanding-the-threat-and-protecting-your-brand/

Sam Bakken

Sam is Senior Product Marketing Manager responsible for the mobile app security portfolio at OneSpan, a global leader in software for trusted identities, e-signatures and secure transactions. Sam has nearly 10 years of experience in information security. Prior to OneSpan, Sam managed content strategy at mobile app security provider NowSecure and before that led go-to-market strategy for a portfolio of vulnerability management and security testing products and services from Trustwave SpiderLabs.

sam-bakken has 19 posts and counting.See all posts by sam-bakken