Malicious ads created to resemble website links target some of the world’s most popular websites
Image: Gerd Altmann (cc)
Google users have been warned about a new malvertising campaign where people who search for popular websites are instead redirected to scam sites by malicious ads.
Searches on some of the most popular websites turned out to produce ads made to appear as if they were legitimate links to the desired website, with some appearing as the first entry on a results page.
Websites impersonated by the threat actors include YouTube, Amazon, Facebook and Walmart, and in all cases appear to lead to a browser locker website where users get scam alerts to call Microsoft support, or fake Windows Defender alerts, according to researchers at Malwarebytes.
Malvertising, or hiding malware payloads behind online advertisements, usually occurs in more obvious ways on websites, such as advertisements promising users free products or cash prizes.
In this case, however, researchers noted the sophistication of the campaign, with an example of a Facebook malvertising link containing no apparent differences that could alert a user to its illegitimate nature.
However, because malvertising uses Google Ads as its platform, it’s still labeled as a bold ad in the top left corner that says “Ad.” This allows demanding users to at least determine that it is not a direct link to the website they were looking for, although this still does not reveal its malicious nature.
Researchers also noted that the redirection mechanism used by the threat actors is complex enough to make it difficult to determine where the ad will direct potential victims via HTML analysis.
By clicking on the ad, the page to which the user is redirected will either redirect to the legitimate website as a ‘lure’, or load a secondary script where the malicious URL is found.
This is then loaded into an inline frame, an HTML element that loads one page into another. This has the effect of replacing the page with the scam element, but not actually redirecting the user a second time.
In this way, the URL of the malicious browser locker page is hidden from the user, who only sees the interim of the .com ‘cloaking domain’ (in the case of Malwarebytes Labs it was called ‘shopmealy’).
The fact that the ads appear in the search results before even showing some of the most popular websites in the world implies that the threat actors are willing to pay money to commit the scam, which would be necessary for keywords of such popularity.
In addition, researchers found that the threat actors had separated the cloak and browser locker streams to avoid being removed holistically by authorities, using a combination of expensive and free domains. The malvertising infrastructure also appears to be hosted on both paid virtual private servers and free cloud (PaaS) providers.
“Google’s proprietary technology and malware detection tools are used to regularly scan all ads,” reads Google’s support page on malware in ads.
“Third party calls or subsyndication to uncertified advertisers or suppliers are prohibited. Every ad that distributes malware is pulled to protect users from harm. Any authorized purchaser whose creatives contain malware will be subject to a minimum of three months’ suspension.”
Malwarebytes Labs has stated that all necessary reports have been submitted to notify Google of the ads, and researchers have reported each such ad under the label “An ad/listing violates other Google Ads policies.”
IT Pro has contacted Google for comment.
© Dennis Publishing