Google Users Warned Of Surging Malvertising Campaigns via @sejournal, @MattGSouthern

Cybersecurity researchers are warning people over a troubling rise in “malvertising”—the use of online ads to deploy malware, phishing scams, and other attacks.

A report from Malwarebytes found that malvertising incidents in the U.S. surged 42% last fall.

The prime target? Unsuspecting users conducting searches on Google.

Jérôme Segura, senior director of research at Malwarebytes, warns:

“What I’m seeing is just the tip of the iceberg. Hackers are getting smarter and the ads are often so realistic that it’s easy to be duped.”

Poisoned Paid Promotions

The schemes frequently involve cybercriminals purchasing legitimate-looking sponsored ad listings that appear at the top of Google search results.

Clicking these can lead to drive-by malware downloads or credential phishing pages spoofing major brands like Lowe’s and Slack.

Segura explained of one recent Lowe’s employee portal phishing attack:

“You see the brand, even the official logo, and for you it’s enough to think it’s real.”

Undermining User Trust

Part of what makes these malvertising attacks so volatile is they hijack and undermine user trust in Google as an authoritative search source.

Stuart Madnick, an information technology professor at MIT, notes:

“You see something appearing on a Google search, you kind of assume it is something valid.”

The threats don’t end with poisoned promotions, either. Malicious ads can also sneak through on trusted websites.

Protecting Against Malvertising: For Users

Experts advise several precautions to reduce malvertising risk, including:

  • Carefully vet search ads before taking any actions
  • Keeping device operating systems and browsers updated
  • Using ad-blocking browser extensions
  • Reporting suspicious ads to Google for investigation

Madnick cautioned:

“You should assume that this could happen to you no matter how careful you are.”

Staying vigilant against malvertising exploits will become more critical as cyber attackers evolve their deceptive tactics.

Protecting Against Malvertising: For Websites

While individual users must stay vigilant, websites are also responsible for implementing safeguards to prevent malicious ads from being displayed on their platforms.

Some best practices include:

Ad Verification Services

Many websites rely on third-party ad verification services and malware scanning tools to monitor the ads being served and block those identified as malicious before reaching end users.

Whitelisting Ad Sources

Rather than accepting ads through open real-time bidding advertising exchanges, websites can whitelist only thoroughly vetted and trusted ad networks and sources.

Review Process

For an added layer of protection, websites can implement a human review process on top of automated malware scanning to manually analyze ads before serving them to visitors.

Continuous Monitoring

Malvertisers constantly update their techniques, so websites must monitor their ad traffic data for anomalies or suspicious patterns that could indicate a malicious campaign.

By implementing multi-layered ad security measures, websites can avoid unknowingly participating in malvertising schemes that put their visitors at risk while protecting their brand reputation.


Featured Image: Bits And Splits/Shutterstock

Leave a Reply

Your email address will not be published. Required fields are marked *