The Rising Threat of Search Engine Ad Abuse

April 9, 2024 | 3 min read

Omri Rosenzweig

Cyber Threat Intelligence Analyst, DRP

Omri rosenzweig

A new report from BlueVoyant finds that threat actors are using the ad infrastructure built into search engines to their advantage to phish unsuspecting users. This blog outlines the growing threat and how to protect yourself.

The use of malicious search engine ads is on the rise and poses a significant threat to internet users and companies worldwide. Instead of a link from an ad leading you to your bank’s login page, it can instead lead to a phishing website or malware download — risking personal, financial, and corporate information.

Since 2022, BlueVoyant threat analysts have tracked and investigated this elusive phishing trend, in which malicious search engine ads are used as distribution vectors, luring unsuspecting victims to phishing websites impersonating large financial institutions in the United States, United Kingdom, and Eastern Europe.

The magnitude of these attacks is alarming. BlueVoyant has helped to remove hundreds of phishing websites related to fraudulent search engine ads for clients in 2023 alone. That year, BlueVoyant observed a 28% increase in the creation of malicious ads and a 50% increase in the detection of large-scale campaigns, predominantly targeting North American financial institutions.

So, what are Search Engine Ads?

Search engines like Google, Bing, and Yahoo, with their easy-to-use interfaces and vast user bases, allow users to easily and efficiently find things online. Given their wide acceptance, it was only a matter of time before they became a target for cyber criminals.

Most search engines allow advertisers to promote their websites by displaying paid ads in the user's search results. Using simple, self-service, and readily available advertising tools, advertisers can pinpoint and reach their unique target audience based on multiple criteria, making their ads more effective and profitable. 

Most ads appear at the top of the search results, above the organic results, and are annotated as an advertisement. Typically, search engine advertisements consist of a title, description, and a link to the advertised website.  

Search engines have long been trusted, so users have historically had little reason to doubt the ads they see.

How Does this Kind of Phishing Work?

These fraudulent search engine ads are designed to appear benign, therefore making them an effective phishing distribution mechanism. When an unsuspecting user types into the search engine their financial institution’s name and “login,” or something similar, the ad they see may lead them to a fake login. These fake websites can be used to steal their login credentials, which could be reused for other accounts, including corporate ones, or to download malware.

We have observed that when setting up a malicious ad campaign, threat actors utilize the various customization options available for advertisers. The settings allow them to display the ads only to specific users who meet predefined criteria, targeting the most vulnerable and profitable victim profiles while helping to evade detection.

To further avoid detection, threat actors employ unique session cookies for users redirected to the site from the ad. This makes it difficult for bots or security vendors to detect the phishing content. In addition, the phishing ads often link to lookalike domains of the impersonated brand, adding another layer of deception.

To execute these malicious ad campaigns, threat actors typically acquire compromised ad accounts from deep and dark web communities. They then craft tailor-made ad campaigns, register phishing websites, and implement additional evasion mechanisms before launching the ad campaign.

How Can You Protect Your Company and its Reputation?

We recommend that enterprises, especially financial institutions, monitor for suspicious search engine ads possibly impersonating the company’s brand, using various search keywords, user agents, and geolocations, in multiple search engines. Organizations should also report all fraudulent websites and associated ads.

Enterprises should also raise awareness about the dangers of search engine ads among clients and employees and advise them to bookmark legitimate websites.

Organizations should consider working with a Digital Risk Protection vendor with ad detection and analysis capabilities to proactively detect and take down malicious search engine ads and their related phishing websites.

Been a victim of this or interested in being proactive in protecting your organization? Speak with a Digital Risk Protection specialist from BlueVoyant today. Let’s detect and take down malicious threat actors together.