Google must do more to combat malvertising in the year ahead following a significant increase in the volume of malicious ads, experts have told ITPro.
Threat actors have ramped up the tactic of using search ads disguised as popular software such as OBS or VLC Player to inject malware onto users’ systems, and Google appears to be struggling to put a stop to it.
The scale of the issue has prompted some analysts to suggest using an ad blocker is now essential for safe web browsing.
New research from Malwarebytes revealed an increase in the number of malicious ads being served in Google search results. The research focused on malicious ads for the popular video conferencing software Zoom.
Jérôme Segura, Malwarebytes’ senior director of threat intelligence, said threat actors were using new services to evade Google’s detection systems.
The hackers were found to be using tracking templates to cloak the redirection mechanisms in their ads, which uses legitimate marketing platforms to redirect to customs domains that contain malware.
Segura could not confirm the number of users who may have fallen for these malicious Zoom ads, but based on their position and number, the number of victims is likely to be substantial.
Malicious ads for the communication platform Slack were also found to lead to the PikaBot malware in a separate investigation by Malwarebytes.
The report notes PikaBot was only previously distributed via ‘malspam’ campaigns where users are bombarded with spam emails containing malware.
Shift your infrastructure to a cloud-based one that takes the environment into account
The scale and frequency of the problem led senior vulnerability analyst at CERT Will Dormann to recommend all users should use ad blockers as part of a robust security posture.
“When you see an ad in a Google search result the domain name shown is in no way guaranteed to be what site you’ll end up on if you click the link. 1) NEVER EVER click on a Google ad link. 2) Using an ad blocker is good security hygiene. Not something to feel guilty about”.
Javvad Malik, lead security awareness advocate at KnowBe4, told ITPro the tech giant needs to ramp up efforts to combat this attack method and preserve trust for users.
“Malvertising preys on users’ trust and the assumption that a search engine like Google is a safe starting point to navigate the web,” he said.
“While ad blockers do provide an additional layer of security, it's imperative that organizations like Google reinforce their defenses against such abuses to maintain user trust.”
Malik said Google and other search engine providers “have a responsibility to step up their game” in light of this year’s torrent of malvertising incidents.
“It's not just about filtering ads; it's about actively engaging in threat detection in real time. The Dynamic Search Ads system should incorporate more robust verification processes to identify and block malicious ads before they reach the user. Regular audits of ad content and the advertisers' authenticity would also help root out criminals looking to post ads.”
What is being done to combat the torrent of malvertising?
Google has a number of measures in place to prevent malvertising, but it is clear these measures are inadequate in the face of ever more sophisticated attack methods.
Google already verifies the identity of advertisers, but as Segura noted in his report, this system is failing to detect threat actors using fake personas to impersonate popular brands.
An additional factor contributing to this crisis is the inadvertent malvertising caused by the Dynamic Search Ads (DSA) program, where Google automatically generates adverts for companies based on the content of their websites.
In a recent case, Google’s DSA system was found to have automatically created an advert listing for a compromised site that contained malware.
Pages on the website of a wedding planning company were compromised, with threat actors changing metadata on a number of pages and injecting them with malware.
An advert campaign, legitimately paid for by the website owner, ended up serving ads for the popular Python development environment PyCharm but with content snippets still related to the wedding planning business.
As the campaign was legitimately acquired and the advert linked back to the correct website (despite being compromised), this case was not detected by Google.
