Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
The FBI said that in 2022, phishing took the top spot as the most reported cybercrime by a wide margin. While scammers using deceptive e-mails and SMS messages to trick victims is nothing new, the FBI has also warned that cybercriminals are impersonating brands using search engine ads to defraud consumers. In these scams, the fake ad’s purpose is tricking consumers into clicking on the ad which takes them to a phishing site where the scammer hopes to trick a visitor into divulging their credentials, identity information, or payment data.
In general people tend to trust search ads and results from Google assuming they go through some sort of vetting. This is a myth. We don’t think Google is doing enough to proactively prevent this fraud occurring on their platform.
In this article we’ll explain the threat, share examples we’ve helped customers mitigate, argue that Google isn’t doing enough to address the issue, as well as, what brands should do in the meantime.
Google ads are online advertisements presented to a search engine user based on what they type into the search field. In the image below, you’ll see a number of Google ads displayed for a search of “best electric lawnmower.”
The ads that end up displaying to a Google user is determined by advertisers bidding on certain keywords. In the electric lawnmower example you’ll see ads marked with Greenworks, EGO, Walmart, Lowe’s and Ace Hardware brand names. While Google claims other variables affect which ads are shown when, the highest bids probably have an outsized effect on which ads are displayed.
Interestingly, Google allows people to bid on a brand name as a keyword even if they don’t own the trademark or have affiliation with the brand. For example, you’ll see ads from vendors appear when you search one of their competitors.
While competitors bidding on your brand name can be frustrating, even worse are scammers bidding on your brand name. It’s as if not only is Google happy to pocket the proceeds of a bidding war between you and your competitors, they’re also happy to pocket the greater proceeds resulting from inviting yet another party to that bidding war – scammers!
We want to explode a myth to help both brands and consumers protect themselves – Google isn’t doing as much as you think to make sure that the ads they present on their search engine results are safe or legitimate. We know this because we’ve seen multiple examples of Google ads posing as trusted brands but directing anyone that clicks on them to malicious sites set on stealing credentials, payment information, or identity data.
Scammers have realized that thanks to Google’s trademark policies, they are able to bid on any keywords they want with as much influence over placement as any brand – as long as their pockets are deep enough.
At Allure Security we’ve seen at least two Google Ad abuse scenarios play out.
To start, scammers publish a website at the domain intended to receive the ad’s traffic. If you enter that URL into your browser and visit the site without having clicked on a Google ad, you’ll be greeted with benign content (e.g., content about “thingies” using our example in the image below).
However, if the Google ad containing the same URL is clicked, a Google Click ID (GCID) is generated and passed through in the URL. The malicious site then recognizes an appended GCID which triggers a redirect to the scam site impersonating the searched brand the visitor searched.
The display of the benign content if the website is visited directly (vs. by clicking on the ad) seems to be enough to circumvent Google’s ad review.
Hat-tip to Guardio Labs for a great rundown of other examples of the “MasquerAds” threat that uses the GCID.
In many cases Google won’t restrict (or even investigate) the use of trademarks in keywords. Anybody can bid on your brand name as a keyword – be it a competitor or a fraudster targeting your customer base – it’s all fair play according to Google:
This suggests that Google will not stop a scammer from using your brand name in the subdomain, second-level domain, or post-domain path of the URL displayed in their fraudulent ad. They might stop a scammer from using your brand name in a subdomain, but only if you complain about it and you need to see it in the first place in order to report it.
The advertising industry does have very small margins so perhaps they’ve decided additional vetting isn’t worth the extra cost.
As far as we can tell, Google does next to nothing to proactively address this issue which seems counterintuitive. As more consumers become aware of this attack vector, their trust in and clicks on Google ads will plummet. Google ads will quickly lose value and brands won’t bother using Google ads if consumers don’t trust them.
Now we’re not advocating for Google to implement draconian trademark enforcement actions to stop consumers and others from using brand names they don’t have rights to. But doesn’t it seem reasonable to ask for a bit more due diligence to ensure they’re not letting scammers use trademarks to defraud people that use Google?
If potential customers looking for your brand engage with a phony sponsored ad and fall victim – many of them will blame, lose trust in, and ultimately, leave your brand. These ads can cause irreparable reputation damage for brands online.
As fraudsters continue to bid on keywords relevant to your brand, customer acquisition costs increase with them. Since scammers are both driving up the keyword advertising prices and poisoning the results, the return on digital marketing efforts become less effective as they increase in price. Consumers lose trust in the ads they see and click less frequently. Consumers that do click on a fake ad are directed to a scam website and your opportunity to engage with those prospects is lost.
So, what is a brand to do?
In addition to general online brand protection best practices, take the following steps to mitigate the risk of fraudulent Google ads targeting your brand and customers:
Posted by Sam Bakken