Warning issued over “inadvertent” spread of malvertising on Google Dynamic Search Ads

Mockup of a padlock covered in blue and red neon code denoting ransomware, malware, and security
(Image credit: Getty Images)

Security researchers have issued a warning over a spate of “inadvertent” malvertising cases in which malicious sites are spread via Google’s Dynamic Search Ads function. 

Analysis from Malwarebytes has revealed the ads function has led to the automatic generation of promotional links leading to malicious websites.

Jérôme Segura, senior director of threat intelligence at Malwarebytes, said this particular case raises concerns over the pervasive threat of malware spread via Google. 

The advert in question is not believed to have been deliberately spread by a threat actor. Segura added that analysis suggests the threat actor behind the promoted malicious page wasn’t even aware it had been generated. 

The reason for this is how Google’s dynamic search ads works, researchers said. Dynamic Search Ads (DSA) uses the content of a website to automatically generate adverts. 

DSAs are marketed to businesses as the simplest way to find customers searching for products or services via Google. They can be automatically created, targeted, and optimized using content from the organization’s website.

In this case, Segura said pages on a website for a business specializing in wedding planning were compromised and injected with malware. In particular, the malware changed the page’s title and created a pop-up with a link to download the popular development environment, PyCharm. 

Google’s dynamic search ads automatically created a listing based on one of the compromised pages. 

The result was that when performing a Google search for ‘pycharm’, Segura was served an advert with the headline ‘JetBrains PyCharm Professional’ but with a content snippet that still showed a series of keywords relating to the wedding planning business.

RELATED RESOURCE

Whitepaper cover with cartoon image of female wheel chair user talking to a man wearing a cap, with another man lifting a message bubble onto a phone screen

(Image credit: ServiceNow)

Manage vulnerabilities and get ahead of the latest cyberthreats

DOWNLOAD NOW

Unlike previous malvertising campaigns, the link included in the advert was to the legitimate domain, albeit compromised. The outcome of following the link to the compromised page, downloading and running the installer, is a “deluge of malware infections … rendering the computer completely unusable”. 

This vulnerability is less likely to be detected by Google as the advert had been paid for by a legitimate business and redirects users to the correct destination, Segura said. 

Malwarebytes’ analysis suggests that “Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content”

This represents a novel case of malvertising where malicious content is unknowingly pushed to search users due to the automatic generation of adverts by the dynamic search ads tool, without explicit intent on the part of the threat actor. 

Growing malvertising threats

The threat of malvertising has been growing in recent months, with a number of high-profile cases in which users have been placed at heightened risk due to the promotion of malicious websites via Google. 

A prominent malvertising campaign earlier this year involved a threat actor paying for an advert listing which they used to mimic the popular streaming software OBS.  

The case came to light after a cryptocurrency influencer who clicked on the advert link and ran the executable file it redirected to, had their Substack and Twitter accounts hacked and their NFT wallet stolen. 

In a thread on X (formerly Twitter) discussing this case, security researcher Will Dormann questioned why Google was not doing more to address this attack vector, like using the Google-owned threat analyzer VirusTotal to automatically check sponsored links for malware. 

Dormann went on to demonstrate that when searching for many pieces of popular software, the results are often ‘adverts’ which are in fact malware links.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.