Cybersecurity researchers are warning people over a troubling rise in “malvertising”—the use of online ads to deploy malware, phishing scams, and other attacks.
A report from Malwarebytes found that malvertising incidents in the U.S. surged 42% last fall.
The prime target? Unsuspecting users conducting searches on Google.
Jérôme Segura, senior director of research at Malwarebytes, warns:
“What I’m seeing is just the tip of the iceberg. Hackers are getting smarter and the ads are often so realistic that it’s easy to be duped.”
Poisoned Paid Promotions
The schemes frequently involve cybercriminals purchasing legitimate-looking sponsored ad listings that appear at the top of Google search results.
Clicking these can lead to drive-by malware downloads or credential phishing pages spoofing major brands like Lowe’s and Slack.
Segura explained of one recent Lowe’s employee portal phishing attack:
“You see the brand, even the official logo, and for you it’s enough to think it’s real.”
Undermining User Trust
Part of what makes these malvertising attacks so volatile is they hijack and undermine user trust in Google as an authoritative search source.
Stuart Madnick, an information technology professor at MIT, notes:
“You see something appearing on a Google search, you kind of assume it is something valid.”
The threats don’t end with poisoned promotions, either. Malicious ads can also sneak through on trusted websites.