Google Ads as Phishing Hooks for Fraud pmiquel April 20, 2024

Google Ads as Phishing Hooks for Fraud

According to The Federal Bureau of Investigation, in 2022, phishing took the top spot as the most reported cybercrime by a wide margin. While scammers using deceptive e-mails and SMS messages to trick victims is nothing new, the FBI has also warned that cybercriminals are impersonating brands using search engine ads to defraud consumers. In these scams, the fake ad’s purpose is to trick consumers into clicking on the ad which takes them to a phishing site where the scammer hopes to trick a visitor into divulging their credentials, identity information, or payment data.

In general people tend to trust search ads and results from Google assuming they go through some sort of vetting. This is a myth. We don’t think Google is doing enough to proactively prevent this fraud from occurring on their platform.

In this article we’ll explain the threat, share examples we’ve helped customers mitigate, argue that Google isn’t doing enough to address the issue, as well as, what brands should do in the meantime.

UNDERSTANDING THE THREAT

Why have scammers been able to use Google Ad Phishing as a tool for Fraud?

Google ads are online advertisements presented to a search engine user based on what they type into the search field. In the image below, you’ll see a number of Google ads displayed for a search of “best electric lawnmower.”

A screen shot of Google search results for “best electric lawnmowers” highlighting the Google ads displayed on the page.

The ads that end up displaying to a Google user is determined by advertisers bidding on certain keywords. In the electric lawnmower example you’ll see ads marked with Greenworks, EGO, Walmart, Lowe’s and Ace Hardware brand names. While Google claims other variables affect which ads are shown when, the highest bids probably have an outsized effect on which ads are displayed.

Interestingly, Google allows people to bid on a brand name as a keyword even if they don’t own the trademark or have affiliation with the brand. For example, you’ll see ads from vendors appear when you search one of their competitors.

While competitors bidding on your brand name can be frustrating, even worse are scammers bidding on your brand name. It’s as if not only is Google happy to pocket the proceeds of a bidding war between you and your competitors, they’re also happy to pocket the greater proceeds resulting from inviting yet another party to that bidding war – scammers!

EXPLODING A MYTH

Google isn't doing as much as you think to make sure the ads they present on their search engine results are safe or legitimate

We want to explode a myth to help both brands and consumers protect themselves – Google isn’t doing as much as you think to make sure that the ads they present on their search engine results are safe or legitimate. We know this because we’ve seen multiple examples of Google ads posing as trusted brands but directing anyone that clicks on them to malicious sites set on stealing credentials, payment information, or identity data. 

Scammers have realized that thanks to Google’s trademark policies, they are able to bid on any keywords they want with as much influence over placement as any brand – as long as their pockets are deep enough. 

How Do Scammers Exploit Google Ads for Fraud?

At Allure Security we’ve seen at least two Google ad phishing scenarios play out.

  • The first is relatively straightforward – a scammer creates an ad impersonating a trusted brand, bids on that brand’s name as a keyword, and then directs a click on that ad to a phishing site.
  • In the second, the scammer puts a bit more work into the scheme in order to evade detection by presenting different content when a Google Click ID is generated.

To start, scammers publish a website at the domain intended to receive the ad’s traffic. If you enter that URL into your browser and visit the site without having clicked on a Google ad, you’ll be greeted with benign content (e.g., content about “thingies” using our example in the image below). 

However, if the Google ad containing the same URL is clicked, a Google Click ID (GCID) is generated and passed through in the URL. The malicious site then recognizes an appended GCID which triggers a redirect to the scam site impersonating the searched brand the visitor searched.

The display of the benign content if the website is visited directly (vs. by clicking on the ad) seems to be enough to circumvent Google’s ad review.

A recreation of an observed Google ad displayed for a search of a financial institutions brand name which then redirects to a phishing page impersonation that institution.

Why Can’t Brands Count on Google to Stop Scammers from Impersonating Them in Ads?

In many cases Google won’t restrict (or even investigate) the use of trademarks in keywords. Anybody can bid on your brand name as a keyword – be it a competitor or a fraudster targeting your customer base – it’s all fair play according to Google:

  • “In response to trademark owner complaints, we may restrict the use of trademarks in ad text.”
  • “We don’t investigate or restrict trademarks as keywords”
  • “We may restrict trademarks from appearing in the subdomains of display URLs.”
  • “We don’t investigate or restrict trademarks in the second-level domains or post-domain paths of display URLs.”

This suggests that Google will not stop a scammer from using your brand name in the subdomain, second-level domain, or post-domain path of the URL displayed in their fraudulent ad. They might stop a scammer from using your brand name in a subdomain, but only if you complain about it and you need to see it in the first place in order to report it.

“So it’s up to every business to monitor the impossible to monitor Google ad space. And then to bear the cost of dealing with Google.”

– Allure CEO, Josh Shaul

The advertising industry maintains very small margins, so they may choose not to invest in additional vetting due to the extra cost.

As far as we can tell, Google does next to nothing to proactively address this issue which seems counterintuitive. As more consumers become aware of this attack vector, their trust in and clicks on Google ads will plummet. Google ads will quickly lose value and brands won’t bother using Google ads if consumers don’t trust them.

Now we’re not advocating for Google to implement draconian trademark enforcement actions to stop consumers and others from using brand names they don’t have rights to. But doesn’t it seem reasonable to ask for a bit more due diligence to ensure they’re not letting scammers use trademarks to defraud people that use Google?

The Impact of Fraudsters Abusing Google Ads

If potential customers looking for your brand engage with a phony sponsored ad and fall victim –  many of them will blame, lose trust in, and ultimately, leave your brand. These ads can cause irreparable reputation damage for brands online. 

As fraudsters continue to bid on keywords relevant to your brand, customer acquisition costs increase with them. Since scammers are both driving up the keyword advertising prices and poisoning the results, the return on digital marketing efforts becomes less effective as they increase in price. Consumers lose trust in the ads they see and click less frequently. When consumers click on a fake ad, they land on a scam website, causing you to lose the opportunity to engage with those prospects.

So, what is a brand to do?

5 Tips to Mitigate Fake Online Ads Targeting Your Brand and Customers

In addition to general online brand protection best practices, take the following steps to mitigate the risk of fraudulent Google ad phishing targeting your brand and customers:

The Impact of Fraudsters Abusing Google Ads

  1. Contact us right now if you’re noticing scammers impersonate your brand with the Google Ad phishing and/or want to get ahead of the issue.
  2. Get educated about an expected surge in fake iOS apps impersonating trusted brands.
  3. Get free actionable advice for handling parked domains impersonating your brand on our blog.

Related Articles