Hackers hiding malicious links in top Google search results, researchers warn

A phone showing the google homepage is held in someone's hand in close-up, with a dimly-lit red wall in the background

Google users have been warned of a new malvertising campaign in which people searching for popular websites are instead redirected to scam sites by malicious adverts.

Searches for some of the most popular websites were found to produce adverts that had been crafted to appear as if they were legitimate links to the desired website, with some appearing as the first listing on a results page.

Websites mimicked by the threat actors include YouTube, Amazon, Facebook and Walmart, and in all cases appear to lead to a browser locker website where users are given scam warnings to call Microsoft support, or fake alerts from Windows Defender, according to researchers at Malwarebytes.

Malvertising, or the practice of hiding malware payloads behind online adverts, typically occurs on websites in more obvious ways, such as advertising that promises users free products or cash prizes.

In this case, however, researchers noted the sophistication of the campaign, with an example of a Facebook malvertising link containing no obvious discrepancies that might alert a user to its illegitimate nature.

However, because the malvertising uses Google Ads as its platform, it is still denoted as an advert with bold text in the top-left corner reading ‘Ad’. This allows discerning users to at least identify that it is not a direct link to the website they were searching for, although this still does not reveal its malicious nature.

Researchers also noted that the redirect mechanism used by the threat actors is complex enough to make it difficult to ascertain where the advert will send would-be victims through HTML analysis.

Upon clicking on the advert, the page the user is sent to will either redirect to the legitimate website as a ‘decoy’, or load a secondary script where the malicious URL is found.

This is then loaded within an inline frame, an HTML element that loads a page within another. This has the effect of replacing the page with the scam element, but the user is not actually redirected a second time.

In this way, the URL of the malicious browser locker page is hidden from the user, who only sees the interim of the .com ‘cloaking domain’ (in the case of Malwarebytes Labs, this was named ‘shopmealy’).

The fact that the adverts are listed on the search results before even some of the most popular websites in the world implies that the threat actors are willing to pay money in order to perpetrate the scam, which would be necessary in order to target keywords of such popularity.


The Total Economic Impact™ of IBM Security MaaS360 with Watson

Cost savings and business benefits enabled by MaaS360


Moreover, researchers found that the threat actors had separated the flows of the cloak and browser locker to prevent being taken down by authorities holistically, and used a mixture of expensive and free domains. The infrastructure of the malvertising also appears to have been hosted on both paid virtual private servers and free cloud providers (PaaS).

“Google's proprietary technology and malware detection tools are used to regularly scan all creatives,” reads the Google support page on malware in advertising.

“Fourth-party calls or sub-syndication to any uncertified advertisers or vendors are forbidden. Any ad distributing malware is pulled to protect users from harm. Any Authorized buyer whose creative is found to contain malware is subject to a minimum three-month suspension.”

Malwarebytes Labs have stated that all necessary reports have been filed to notify Google of the adverts, and researchers reported every such advert under the label ‘An ad/listing violates other Google Ads policies’.

IT Pro has contacted Google for comment.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.