Google Ads have helped thousands of legitimate businesses position themselves and boost their sales. Users have learned to trust them almost blindly. Now, threat actors have learned they can easily abuse that user’s trust to position their phishing sites on top of legitimate websites. As a result, the trust between businesses and their customers is undermined, generating substantial financial losses for any affected business’s customers.
While Google does its fair amount of work in taking down phishing sites, the job of the threat actors is already complete, which is why the issue requires a multi-faceted approach: technological innovation combined with collaboration across different stakeholders.
The Scope of The Problem
For instance, Google reported that in 2020 alone, it blocked more than 3.1 billion ads violating its ad policies, encompassing within them phishing and malware through the use of sophisticated algorithms, enriched machine learning, and a full team that keeps monitoring and taking down those kinds of threats. The reason these efforts seem endless, however, has to do with the fact that threat actors adapt their tactics to bypass Google’s detection mechanisms and keep publishing. They often exploit newly discovered vulnerabilities or employ techniques to obfuscate their activities.
Additionally, these types of phishing campaigns are usually highly opportunistic, requiring only a brief window of availability to deceive users and achieve their objectives. A few hours of exposure is all they need to trick a significant number of victims.
Notable Cases
During the pandemic, threat actors launched a campaign of fake ads for personal protective equipment (PPE) that directed users to counterfeit websites that collected their credit card information and never delivered the products – a theme that was reused with the launch of the COVID vaccine.
Malvertising (the name used to refer to this type of fake ads scams) campaigns range from massive spear-phishing campaigns impersonating a country’s tax agency to fake business listings, fake tech support ads, and fake download or login portals. The latter has become so common that some banks have even recommended that their clients not use search engines to enter their websites. Later, in 2023 and into 2024, threat actors found a way to leverage deep fakes of public figures to scam users. While Google was quick to take steps to detect and remove the ads that were already running, the ease with which the attackers adapted to this new technology showed that this type of scam was not going to die down anytime soon.
Proactive Steps to Protect Your Business from Ad-Based Threats
User Education and Awareness
Empowering users with knowledge about ad fraud is a cornerstone in the defense against cyber fraud, but it also applies to fake ad scams. That is to say, firms must invest in educational campaigns highlighting the risks of clicking on unknown ads: being aware of fraudulent ads, the importance of URL verification, and encouraging the use of ad blockers and antivirus.
Improving Regulatory Frameworks
Regulatory bodies must impose more stringent conditions on digital ads, such as ensuring they are clearly positioned, and hold platforms liable for losses from ad fraud by inducing fines. Furthermore, governments should install task forces to monitor and investigate ad fraud practices, ensuring on-the-spot punitive measures against offenders. All businesses can and must ask their governments to take fast action against ad fraud.
Implement Advanced Technological Solutions
Advanced technological solutions such as AI- and ML-based solutions can be leveraged for massive-volume data analysis, identification of patterns indicating fraud, and blocking suspicious ads with automated enforcement.
Other approaches employ new techniques to provide businesses with “Proof of Authenticity” for the website they are visiting. Memcyco, a leader in this field, injects disguised snippets of code into a company’s website that trigger warnings for any user who accesses a copycat site generated by cloning the legitimate one.
Threat actors often try to mimic company websites by leveraging website cloning tools like HTTrack, Cyotek WebCopy, SiteSucker, etc. Memcyco uses “nano defenders” to hinder these malicious advertising operations by notifying users when they click on a malicious ad and enter a fraudulent portal. The impersonated company is also provided with full details of the attacked customer in real-time to expedite remediation efforts and minimize the damage.
Employ Fraud Detection Services
Fraud detection adds another layer of security by analyzing patterns and traffic for suspicious activities in real-time. Advanced algorithms integrated with AI and ML within fraud detection services enable the automatic detection and blocking of fraudulent ads before they can cause serious damage. Such solutions include Human Security, Integral Ad Science, and DoubleVerify.
Leverage Intelligence Services and Platforms That Monitor Phishing Sites
Leveraging intelligence services and platforms that monitor phishing sites and request their takedown is also an effective strategy against this type of attack. Security platforms and numerous other intelligence services continuously monitor the web for new phishing sites and emerging threats, providing real-time alerts and detailed analysis. By integrating these types of services into your security systems, companies can quickly react to new threats, preventing fraudulent ads from reaching consumers.
Trying to Stay Ahead of The Threat
The rise of phishing attacks via fake Google and social media ads significantly threatens businesses and consumers by exploiting trust built over years of legitimate advertising. Despite Google’s extensive efforts to combat these threats, cybercriminals only need brief exposure to cause substantial harm. As such, the problem calls for an updated cybersecurity approach that deals with the problem across all its dimensions: investment in user education, advocacy for more robust regulatory frameworks, the use of fraud detection and intelligence services, and advanced technological solutions. By taking a comprehensive and proactive approach, businesses can defend their digital ecosystems, uphold customer trust, and maintain a positive brand reputation.
Rashan is a seasoned technology journalist and visionary leader serving as the Editor-in-Chief of DevX.com, a leading online publication focused on software development, programming languages, and emerging technologies. With his deep expertise in the tech industry and her passion for empowering developers, Rashan has transformed DevX.com into a vibrant hub of knowledge and innovation. Reach out to Rashan at [email protected]
