IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers hiding malicious links in top Google search results, researchers warn

Malicious adverts made to resemble links to websites are targeting some of the world’s most popular websites

A phone showing the google homepage is held in someone's hand in close-up, with a dimly-lit red wall in the background

Google users have been warned of a new malvertising campaign in which people searching for popular websites are instead redirected to scam sites by malicious adverts.

Searches for some of the most popular websites were found to produce adverts that had been crafted to appear as if they were legitimate links to the desired website, with some appearing as the first listing on a results page.

Websites mimicked by the threat actors include YouTube, Amazon, Facebook and Walmart, and in all cases appear to lead to a browser locker website where users are given scam warnings to call Microsoft support, or fake alerts from Windows Defender, according to researchers at Malwarebytes.

Malvertising, or the practice of hiding malware payloads behind online adverts, typically occurs on websites in more obvious ways, such as advertising that promises users free products or cash prizes.

In this case, however, researchers noted the sophistication of the campaign, with an example of a Facebook malvertising link containing no obvious discrepancies that might alert a user to its illegitimate nature.

However, because the malvertising uses Google Ads as its platform, it is still denoted as an advert with bold text in the top-left corner reading ‘Ad’. This allows discerning users to at least identify that it is not a direct link to the website they were searching for, although this still does not reveal its malicious nature.

Researchers also noted that the redirect mechanism used by the threat actors is complex enough to make it difficult to ascertain where the advert will send would-be victims through HTML analysis.

Upon clicking on the advert, the page the user is sent to will either redirect to the legitimate website as a ‘decoy’, or load a secondary script where the malicious URL is found.

This is then loaded within an inline frame, an HTML element that loads a page within another. This has the effect of replacing the page with the scam element, but the user is not actually redirected a second time.

In this way, the URL of the malicious browser locker page is hidden from the user, who only sees the interim of the .com ‘cloaking domain’ (in the case of Malwarebytes Labs, this was named ‘shopmealy’).

The fact that the adverts are listed on the search results before even some of the most popular websites in the world implies that the threat actors are willing to pay money in order to perpetrate the scam, which would be necessary in order to target keywords of such popularity.

Related Resource

The Total Economic Impact™ of IBM Security MaaS360 with Watson

Cost savings and business benefits enabled by MaaS360

Whitepaper cover with title and green square graphic to rightFree Download

Moreover, researchers found that the threat actors had separated the flows of the cloak and browser locker to prevent being taken down by authorities holistically, and used a mixture of expensive and free domains. The infrastructure of the malvertising also appears to have been hosted on both paid virtual private servers and free cloud providers (PaaS).

“Google's proprietary technology and malware detection tools are used to regularly scan all creatives,” reads the Google support page on malware in advertising.

“Fourth-party calls or sub-syndication to any uncertified advertisers or vendors are forbidden. Any ad distributing malware is pulled to protect users from harm. Any Authorized buyer whose creative is found to contain malware is subject to a minimum three-month suspension.”

Malwarebytes Labs have stated that all necessary reports have been filed to notify Google of the adverts, and researchers reported every such advert under the label ‘An ad/listing violates other Google Ads policies’.

IT Pro has contacted Google for comment.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts
Mobile

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts

10 Aug 2022
Google and SkyWater partner on open source chip design platform
Hardware

Google and SkyWater partner on open source chip design platform

29 Jul 2022
Google reveals new office in Atlanta and $1 million in funding for local communities
Careers & training

Google reveals new office in Atlanta and $1 million in funding for local communities

28 Jul 2022
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

13 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022