In this internet era, every one of us is familiar with the google search engine, and we use it to browse so many topics in our day-to-day life. While browsing, many of us would have noticed small pop-ups or small boxes of ads displayed along the sides of the website. Most of the time, the ads will be customized to your personal interests. Before you click on these ads, have you paused for a second and thought, are these sites genuine?
Let’s see what are Google Ads, are Google Ads safe, how threat actors abuse Google Ads, tips to spot fake google ads, and finally, we will also see how you should protect yourselves from fake Google Ads.
What Are Google Ads?
Google ads is an online advertising platform that helps to improve business by increasing customer reach and helps companies to achieve their marketing goals. It also helps in increasing traffic to your website and raising awareness of products. Google ads are developed by google. Google Ads allows advertisers to display quick advertisements, all services offered, product listings, short videos, and much more on their websites.
Google ads often appear on most websites. They can be above or below search results. Google ads can be displayed in the google search engines and also on mobiles, non-search sites, etc. There are wide varieties of google ads, search ads, Local service ads, google shopping ads, etc.
How Threat Actors Abuse Google Ads?
Google ads can be very useful, especially when we are in search of any products and google recommends the best products on our visiting pages. But are all those google ads safe? Let’s see how threat actors abuse Google Ads.
Threat actors use Google ads to spread malware by pretending as legitimate software. So many popular software is targeted by attackers, including Grammarly, MSI Afterburner, Slack, Dash Lane, Malwarebytes, OBS, Ring, AnyDesk, Libre Office, TeamViewer, Thunderbird, Brave, etc. Check out this AnyDesk Malvertising Campaign as an example that came to light in Mid of 2021. The threat actors clone the original website to impersonate legitimate software.
Google ads can be very useful, especially when we are in search of any products and google recommends the best products on our visiting pages. But are all those google ads safe? Let’s see how google ads are exploited by threat actors.
The attack method used here is known as typosquatting, which means creating a fake website and naming the domain in such a way it resembles the original domain name. The attackers can use so many permutation combinations to create such domain names that will have small typos, which upon a single look, seem legitimate. For example, the original domain is ‘facebook.com,’ and attackers can create a fake domain with the name ‘faceb00k.com’. Here the attacker has replaced the alphabet ‘o’ with ‘zero.’
Grammarly is a famous software used by millions of people to help in improving spelling and grammar errors in English, there was a google ads scam targeting Grammarly in November 2022, and we will discuss the technical details of how this happened.
The original website of Grammarly is ‘grammarly.com.’ The threat actor creates a domain ‘grammalry[.]org’ which, upon a direct visit, will take you to an advertisement by “Christian Heating & Air Conditioning,” and the site contains no details regarding the original Grammarly website, nor looks suspicious.
But, if the user is clicking on the promoted google ad search results for the above domain thinking it to be a legitimate site (because of the domain name ‘grammalry[.]org’), the user will be forwarded to the phishing page in the domain name ‘gramm-arly[.]com’. When a google ad is clicked, it generates a unique click id which is known as gclid or Google’s click ID, this id is valid only once, which is checked by the threat actor. If the gclid is valid, the threat actor checks for other parameters like the geolocation of the visitor, user agent, etc.
Once the attacker does this forwarding to the phishing site, the visitor can never see the “masquerAd” site ‘grammalry[.]org’ (Christian Heating & Air Conditioning) but only the phishing page, which exactly looks like the genuine Grammarly website.
This can make us wonder if this is a phishing site and why google is not taking any action on it, and the ads are promoted. This is because the threat actor creates a benign site (in the above case, ‘grammalry[.]org’) that will be promoted with the keyword, and it will be presented as a valid site in the eyes of a policy enforcer and crawlers visiting the site. Still, when these ‘disguised’ sites are visited by targeted users (people who actually click on the promoted ads), the server will immediately forward them to the rouge phishing site where they download malicious payloads.
Some examples of such cases where unrelated websites were created to mask the phishing activity are shown below.
These techniques make the work of attackers easy as they don’t have to search for a target as google itself promotes their ads and gets the victims. Thus, the attackers can put more effort into building their malicious payload. For Grammarly, the payload was not a simple stealer. It was a Raccoon Stealer Variant that could not be detected with simple security mechanisms. Some of their features include
- The malware is downloaded along with the legitimate Grammarly software, which makes it less noticeable.
- Bloated files- the executable file will be of large size by filling with bloated zeroed files just to make it difficult for security tools to detect.
- Periodically changing the payload.
This is how threat actors abuse Google Ads to deliver malware that leads to further exploitation.
Tips to Spot Fake Google Ads:
Google ads are ubiquitous and unavoidable. If you use Google and the internet, you should learn how to cope with such Malvertising techniques. We created this section to let you know some of the tips to spot fake Google Ads that help you protect your data on the internet.
- Cross-check the URL of the site. If you are downloading or purchasing anything from a page redirected from ads, it is always better to search for that site separately and verify if it is legitimate.
- Always inspect the page you have landed on after clicking the ad and check on the overall website quality and the ‘about us’ section. We can also check for social media handles. If these sections have spelling errors or any other red flags, try avoiding such sites.
- Be very suspicious about products that are hard to find. Scammers can easily target desperate victims.
- Avoid any kind of unbelievable offers which pops up in google ads.
- Avoid ads that show any traces of adult content, as this is the best way of luring the victims.
How Should You Protect Yourselves From Fake Google Ads?
Attackers are becoming much more creative as technology grows, and some basic security practices can always help us from falling into their trap. Human error is the reason behind 88% percent of security breaches in the world. Let’s see some of the best practices that help you learn how you should protect yourselves from fake Google ads.
- While browsing for a service, do not click on the first popped-up result if it’s a promoted ad. Usually, the legitimate site will be the one following the ads.
- Before clicking on any site, cross-check the URL for any typos.
- Do not provide sensitive information (card details, social security number, etc.) in a hurry, always pause and verify if you are giving your details in the correct place.
- Bookmark the sites which you are often using.
So, after knowing how attackers can scam you by placing malicious ads, a question will come to our mind are google ads safe? We can never give a ‘yes’ or ‘no’ answer to this. The blind trust in google mostly creates the damage. A proper mindset of not trusting anything from the internet can save us most of the time.