Home » Promo » Cybersecurity » Targeted Ads are a Cybersecurity Risk

Targeted Ads are a Cybersecurity Risk

by Avoid The Hack! on December 4, 2023

Update/Revision of the post originally published on 5 DEC 2023.

You’re justified in blocking targeted ads. Malvertising is alive and well and poses a too-big-to-ignore risk to the end user.

For your security (and privacy) you should block ads by default. Here’s why.

TABLE OF CONTENTS

Malvertising in recent news

While this post and the links it points to still hold true of the modern targeted advertising landscape, this section was added to hammer home the prevalence of malvertising by providing relatively recent (within 6 months) news items where malvertising was leveraged by threat actors. This includes using malvertising to link to phishing websites, malware downloads, scams, and blatant disinformation (especially when state-sponsored), among other malicious campaigns.

AI-generated malvertising “white pages” are fooling detection engines “… examples where threat actors are buying Google Search ads and using AI to create white pages.”
Fake Bitwarden ads on Facebook push info-stealing Chrome extension “The Facebook advertising campaign warns users that they’re “using an outdated version of Bitwarden,” and need to update the program immediately to secure their passwords.”
Malicious Ads in Search Results Are Driving New Generations of Scams “… “malvertising” is nothing new, but the tactic is still so effective that it’s contributing to the rise of investment scams and the spread of new strains of malware.”
Malicious ads push Lumma infostealer via fake CAPTCHA pages “A large scale malvertising campaign… leveraged the Monetag ad network to propagate over one million ad impressions daily across three thousand websites.”

Malvertising

Malvertising is malicious advertising. Malvertising intentionally distributes malware and facilitates scams/phishing. There are many ways malvertising can be “carried” out; some commonly seen examples of malvertising include malicious search ads, malicious social media ads, and other malicious targeted ads displayed on websites.

Malvertising does not exclusively rely on user interaction to download malicious scripts. Malicious scripts can be downloaded and executed on user devices without explicit user consent or interaction. These scripts can in turn call second-stage malware and are commonly known as drive-by downloads.

Perhaps the most dangerous part of malvertising is that it can appear on any advertisement on any website – including extremely popular, well-known websites. This can happen without the website being breached directly by itself – especially if third-parties are used to serve third-party ads. Malvertising can also occur on websites that manage and run their own “first-party” ad platforms, like many mainstream social media platforms such as Instagram and TikTok.

Malicious search ads campaigns

In recent years, there has been a noticeable increase in search engine malvertising. So much so that in December 2022, the FBI put out a public service announcement warning the public of threat actors abusing search ads to deliver malware, ransomware, and steal sensitive information such as login credentials.

Given Google’s dominance across search and the associated ad space, threat actors (bad guys) regularly abuse the ecosystem as it gives maximum return on exposure. For similar reasons, Bing Ads sees its fair share of abuse too, but due to marketshare we can assume prevalence is lower – there is more return on investment with abusing Google Search Ads.

Abuse of these ecosystems ultimately means a large audience will see these malicious ads, increasing the likelihood someone will click on them. The more people click on them, the more people are redirected to the phishing/malicious site.

Brief Overview

Search engine advertising is relatively simple on the surface, though there are a whole lot of nuances I will not get into here.

Advertisers can have their ad – usually a bid on a keyword – displayed near “organic” results. Typically, the advertiser pays the platform for every click on their search engine ad. The more in demand or popular the keyword, the higher the cost per click (CPC).

In a non-malicious scenario, users are directed to the advertiser’s website/property once clicking on the ad. For example, you search “cybersecurity” and I bid on that word as an advertiser. You see my ad, you click on it, and then you are redirected to my website.

But what if the advertiser is a threat actor or otherwise malicious? Well, once clicked, users are typically directed to a malicious domain that may drop malware or trick users into divulging sensitive information. Except it’s not quite as simple as directing users to a malicious site from the immediate get go.

In many cases, the threat actors employ cloaking techniques, linking users to a “benign” website before redirecting them to the true phishing/malicious domain. Hovering over the link won’t necessarily work to tip you off to a malicious domain, your browser’s “safe browsing” may not have this first “benign” domain in its “bad list,” and Google’s detection algorithms can’t explicitly detect the malicious domain unsuspecting users are forwarded to.

Threat actors using cloaking to hide their malicious sites in the Google Ads flow
Source: Guardio Labs

This widespread and ever-growing issue of rogue search ads is a multi-faceted issue with many moving parts, but we can kind of break it down into:

Paid ads/”sponsored” ads are at the top of the search results page
Ever-evolving methods to circumvent existing (albeit, lacking) controls
Lacking ad-screening controls/policies

These factors feed into each other and are not necessarily a linear cause-and-effect relationship. There are other factors, such as user privacy considerations and platform algorithms, with influence as well.

Paid ads are at the top of the results page

Sponsored ads for keywords on search engines are generally placed at the top of the search results pages, ahead of “actual” or “organic” results.

This is a problem because there is overwhelming evidence that approximately 28% of users click on the first search result on the search results page. Therefore, if a malicious ad is at the top of the sponsored results section – or even just above the organic results – there’s a far higher chance an unsuspecting user may click it.

For example, when using Google Search for the keyword “ransomware,” these are the sponsored/paid results:

These are the organic results for the same search for the same keyword on the same page. Notice how official government sources such as CISA (US) and the NCSC (UK) are below…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/ads-cybersecurity-risk