Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience.
What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions.
Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive the point home that this needs to be addressed just like other types of fraud or malware.
We have reported the malicious advertiser to Google, but at the time of publishing this campaign was still on.
Malicious ad campaign for Facebook
Justin Poliachik did what many people would do, he opened up a Google search, typed facebook and clicked on the top result. In the video below, he summarizes what happened next:
Thanks to Justin for the shoutout to our blog and explaining what went down! Not sure if Justin was joking, but we don’t believe AI is going to fix malvertising, at least not for the next little while. Instead, we are going to look into more details about one particular technique. In our view, this is actually where the abuse happens the most, and where things could be improved.
Two paths make cloaking
As we said, Google seems to have a problem with brand impersonation that may not be easy to solve. We have reported such cases several times before with pretty much the same techniques.
How can Google differentiate a legitimate affiliate from a malicious actor? There are a number of data points about the advertiser via their account: user profile, payment method, budget, etc. We are not privy to those details, but they can certainly help when it comes to fraud.
More importantly, there is the ad itself: vanity URL, display text, tracking template, final URL. What happens when you click on the ad? Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse, and yet remains unfixed.
In the video below, we walk you through the classic tale of cloaking:
Cloaking is an old technique and in many ways can be used for legitimate purposes. After all, one needs to be able to detect real humans and not bots or crawlers for their hard-earned ad dollars budget.
Threat actors have long identified such services as very helpful tools for their malicious campaigns. True, they, like others don’t want robots, but they also don’t want Google’s scanners or security researchers to expose their malicious schemes.
Under the hood
This part is a little more technical, but integral in understanding how malvertising works. As mentioned in the video above, cloaking allows to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc.
A click tracking service can be used to analyze traffic, collect data, etc. All in all, such services are useful in and of themselves, but they can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.
One thing that’s interesting is how scammers will abuse the click tracking service as well! All they have to do is redirect to another “legitimate” domain they control and from there decide on the final destination URL.
We can see in the image below that final redirect, which is either the scam page or the actual Facebook site:
Safeguarding your online experience
We have seen these malicious ads for years and years. It would be unfair to say that no action has ever been taken, but there is room for improvement. Individual reports from victims are not always actioned based on our experience and that of others. This is frustrating because it appears as if those individual experiences do not matter in the grander scheme of things.
Security vendors also struggle with these scams. Chasing infrastructure from one host to the next or having trouble blocking URLs that abuse legitimate providers is a real thing.
As a user you can protect yourself in various ways:
- Beware of sponsored results
- Block ads altogether
- Recognize scam pages as fake
If you want the piece of mind and have all this covered for you, download our Malwarebytes Browser Guard extension available for different browsers.