This is called “malvertising”, and if you’re not careful to spot it, you could burn yourself.
Washington Post reader Jack Wells wrote to me recently after a scare. “I’m afraid I was hacked this morning, and I wonder if you could give me some advice on how to deal with it,” he wrote.
Here’s what happened: Wells had gone to DuckDuckGo, the privacy-focused search engine I also use, and typed in “Citibank login” hoping to visit the banking portal. The first item appeared to be an advertisement for the Citibank login page, so he clicked on it.
Strangely, Wells was taken to a blank screen. So he pressed the back button and discovered that he was on a page whose real address ended in “.ru” (for Russia) and was definitely not Citibank.
Wells appears to have fallen for a fraudulent search ad used to trick people into inadvertently giving up their passwords or downloading malware. When I asked DuckDuckGo about his experience, spokeswoman Allison Goodman said the company was unable to recreate it, but she suspects he may have clicked on an advertisement link that had now been removed.
“We have seen this happen very rarely; scammers are evolving their tactics and regularly launching and deleting sites to avoid ending up on blacklists,” she said. Ads on DuckDuckGo are managed by Microsoft, which also places them on its own Bing search engine.
“We take misleading or fraudulent advertisements very seriously,” Microsoft spokeswoman Caitlin Roulston wrote. “Microsoft prohibits such content, including content that may reasonably be perceived as misleading, fraudulent, or harmful to site visitors.”
Now the really bad news: Fraudulent search ads aren’t just a problem on DuckDuckGo and Bing. They are also a problem on Google, the most used search engine in the world. There are ads for fake banks, fake sites for the IRS and other government agencies, and fake crypto wallets, to name a few.
In August, Sen. Richard Blumenthal (D-Conn.) wrote in a letter to Google CEO Sundar Pichai that the search giant had demonstrated a “troublesome record of inadequate due diligence against fraud and abuse.” in advertisements. His letter cited a 2021 investigation by my colleague Jeremy Merrill finding that advertisers have impersonated government websites. Google said it removed these kinds of banned ads, but the senator’s office later checked and found that similar ads were still appearing, suggesting that Google’s countermeasures weren’t very effective. (Merrill found similar issues with Microsoft ads from DuckDuckGo.)
In July, Malwarebytes researchers reported how unsuspecting Google users searching for popular keywords – including “youtube” – could click on an ad and see their browsers hijacked with fake warnings to call fake agents. Microsoft for help. And in 2021, Check Point Research identified a Google-ad phishing campaign that resulted in the theft of at least half a million dollars worth of cryptocurrency.
How does this even happen? The main problem is that many search ads are sold through self-service systems, where advertisers don’t necessarily need to be licensed or have their links verified by humans. The bad guys sometimes try to create thousands of accounts simultaneously, hoping that a few succeed.
Companies say they have the problem under control.
“When we become aware of these instances, we take steps to remove them as soon as possible,” Microsoft spokeswoman Roulston said. “We then apply the feedback in our detection mechanisms to improve our ability to detect and remove similar ads in the future.”
“We are always working to stay ahead of bad actors, some of whom use sophisticated measures to conceal their identities and evade our policies,” Google spokesperson Davis Thompson said in an email. . “People deserve to feel safe on our platforms and we will continue to improve our enforcement practices to combat abuse and fraud.”
Like what? Thompson said that in recent years Google has introduced new certification policies, increased advertiser verification and increased the company’s ability to detect and prevent coordinated scams. But he wouldn’t say what percentage of the company’s advertisers are now verified.
We still don’t know the extent of the problem either. In 2021, Google says it blocked or removed 38.1 million ads for “misrepresentation” and 58.9 million ads for violating its financial services policies, before and after they were served. Microsoft wouldn’t say how many fraudulent ads it removes.
So what can you do against scam ads?
It starts with awareness. Many of these attacks attempt to exploit a very common online behavior: searching for a website by its name instead of typing its full URL into the address bar. So get into the habit of typing everything yourself into your browser – instead of typing “Citibank Login”, type citi.com in its entirety.
Another suggestion: save browser bookmarks for the sites you use most often.
Personally, I have a habit of not clicking search ads. If you look further down the page under the ads, you will find the real search results that have been curated and ranked based on their popularity and actual usefulness. And if you install an ad blocker in your browser, you won’t see any ads, good or bad.
What to do if you think you’ve clicked on one of these bad ads? For Wells, I recommended a two-step plan similar to what I would advise anyone who thinks they’ve been hacked.
First, I suggested that he scan his computer for viruses and malware. It’s important whether you’re using Windows or a Mac. I use Malwarebytes, which is available as a free download (or, if you subscribe to it, as a permanent shield). It will find and quarantine malware that you may have downloaded.
Second, I suggested that he change his banking password. Phishing for login information is probably the #1 risk for most internet users. The security mistake many people make is reusing passwords across different sites, apps, and services. This is a problem because if bad guys get one of your passwords, they’ll try to use it to access your accounts, data, and maybe even money elsewhere.
The only practical solution is to use a different password everywhere and keep track of it in a program called a password manager. Vouchers are generally safe to use and not as annoying as you might think.
After sorting it out, Wells told me the experience would change his behavior online. “I didn’t really expect scams to show up on online searches, but now that I know they can, I’ll be looking for them,” he said.
Comments are closed.