Google must do more to combat malvertising in the year ahead following a significant increase in the volume of malicious ads, experts have told ITPro.
Threat actors have ramped up the tactic of using search ads disguised as popular software such as OBS or VLC Player to inject malware onto users’ systems, and Google appears to be struggling to put a stop to it.
The scale of the issue has prompted some analysts to suggest using an ad blocker is now essential for safe web browsing.
New research from Malwarebytes revealed an increase in the number of malicious ads being served in Google search results. The research focused on malicious ads for the popular video conferencing software Zoom.
Jérôme Segura, Malwarebytes’ senior director of threat intelligence, said threat actors were using new services to evade Google’s detection systems.
The hackers were found to be using tracking templates to cloak the redirection mechanisms in their ads, which uses legitimate marketing platforms to redirect to customs domains that contain malware.
Segura could not confirm the number of users who may have fallen for these malicious Zoom ads, but based on their position and number, the number of victims is likely to be substantial.
Malicious ads for the communication platform Slack were also found to lead to the PikaBot malware in a separate investigation by Malwarebytes.
The report notes PikaBot was only previously distributed via ‘malspam’ campaigns where users are bombarded with spam emails containing malware.
RELATED RESOURCE
Shift your infrastructure to a cloud-based one that takes the environment into account
The scale and frequency of the problem led senior vulnerability analyst at CERT Will Dormann to recommend all users should use ad blockers as part of a robust security posture.
“When you see an ad in a Google search result the domain name shown is in no way guaranteed to be what site you’ll end up on if you click the link. 1) NEVER EVER click on a Google ad link. 2) Using an ad blocker is good security hygiene. Not something to feel guilty about”.
Javvad Malik, lead security awareness advocate at KnowBe4, told ITPro the tech giant needs to ramp up efforts to combat this attack method and preserve trust for users.
“Malvertising preys on users’ trust and the assumption that a search engine like Google is a safe starting point to navigate the web,” he said.
“While ad blockers do provide an additional layer of security, it's imperative that organizations like Google reinforce their defenses against such abuses to maintain user trust.”
Malik said Google and other search engine providers “have a responsibility to step up their game” in light of this year’s torrent of malvertising incidents.
“It's not just about filtering ads; it's about actively engaging in threat detection in real time. The Dynamic Search Ads system should incorporate more robust verification processes to identify and block malicious ads before they reach the user. Regular audits of ad content and the advertisers' authenticity would also help root out criminals looking to post ads.”
What is being done to combat the torrent of malvertising?
Google has a number of measures in place to prevent malvertising, but it is clear these measures are inadequate in the face of ever more sophisticated attack methods.
Google already verifies the identity of advertisers, but as Segura noted in his report, this system is failing to detect threat actors using fake personas to impersonate popular brands.
An additional factor contributing to this crisis is the inadvertent malvertising caused by the Dynamic Search Ads (DSA) program, where Google automatically generates adverts for companies based on the content of their websites.
In a recent case, Google’s DSA system was found to have automatically created an advert listing for a compromised site that contained malware.
Pages on the website of a wedding planning company were compromised, with threat actors changing metadata on a number of pages and injecting them with malware.
An advert campaign, legitimately paid for by the website owner, ended up serving ads for the popular Python development environment PyCharm but with content snippets still related to the wedding planning business.
As the campaign was legitimately acquired and the advert linked back to the correct website (despite being compromised), this case was not detected by Google.
-
Women show more team spirit when it comes to cybersecurity, yet they're still missing out on opportunitiesNews While they're more likely to believe that responsibility should be shared, women are less likely to get the necessary training
-
OpenAI's new GPT-4.1 models miss the mark on coding tasksNews OpenAI says its GPT-4.1 model family offers sizable improvements for coding, but tests show competitors still outperform it in key areas.
-
Foreign AI model launches may have improved trust in US AI developers, says Mandiant CTO – as he warns Chinese cyber attacks are at an “unprecedented level”News Concerns about enterprise AI deployments have faded due to greater understanding of the technology and negative examples in the international community, according to Mandiant CTO Charles Carmakal.
-
Adopting more security tools doesn't keep you safe, it just overloads your teamsNews Security tool sprawl makes it harder to manage environments and overwhelms teams
-
Google’s Big Sleep AI model just found a zero-day vulnerability in the wild — but don’t hold your breath for game-changing AI bug hunting tools any time soonNews Google clarified it was the first undiscovered memory safety bug to be flagged by an AI agent, touting this as a significant step in using AI for vulnerability research
-
Australia and Google turn to AI to protect critical infrastructureNews Australia's CSIRO partners with Google to develop homegrown AI security tools for infrastructure
-
Google Workspace just got a slew of new zero trust features to help supercharge user security – here's what you need to knowNews New Zscaler integrations across Chrome Enterprise, Google Workspace, and Google Security Operations aim to enhance enterprise security and access
-
Google says Microsoft can’t be trusted after email security blunders
News Google has fired a broadside at Microsoft amid concerns over the tech giant's repeated security blunders
-
Google forced to delete billions of incognito browsing records after privacy controversyNews Google has agreed to delete data it gained improperly through its private browsing function
-
Google spent $10 million on bug bounty payouts last year — here's what flaws researchers uncoveredNews Google’s Vulnerability program paid rewards to 600 researchers in 2023, with Android flaws earning a third of the total
