'Tis the season for bad actors and cybercriminals it seems. The FBI is warning the public that cybercriminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.
Methodology
Cybercriminals purchase advertisements that appear within internet search results using a domain that is similar to an actual business or service. When a user searches for that business or service, these advertisements appear at the very top of search results with the minimum distinction between an advertisement and an actual search result. These advertisements link to a webpage that looks identical to the impersonated business’s official webpage.
In instances where a user is searching for a program to download, the fraudulent webpage has a link to download software that is actually malware. The download page looks legitimate and the download itself is named after the program the user intended to download.
These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms. These malicious sites appear to be real exchange platforms and prompt users to enter login credentials and financial information, giving criminal actors access to steal funds.
While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link.
“Phishing as a vector has been extremely fruitful for APT groups and internal Red Teams for years now. With the evolution of controls and protections, new ways to attack users have evolved. The concept of "malvertising" as a whole isn’t entirely new, so the importance of safeguarding against opportunities like this is critical. If the user can interact with it in some capacity or is targeted by it, there is more than likely a strong phishing element available to resourceful attackers," says Matt Mullins, a Senior Security Researcher for Cybrary, a cybersecurity and IT workforce development platform that provides a digital knowledge repository of cybersecurity-related content. "Advertising is ubiquitous with the web at this point we are all bombarded with ads on sites, YouTube videos, social media platforms (such as Reddit or Twitter), and the list goes on and on. The ability to poison those ecosystems with advertisements is particularly useful as it is a trusted "trojan horse" vector for attackers to slip into. These advertisements are then served to users from a trusted source and potentially bypass defensive controls to go straight to a user. How hard is it to track down the initial access vector for an incident already?
Tips To Protect Yourself
The FBI recommends individuals take the following precautions:
- Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Rather than search for a business or financial institution, type the business’s URL into an internet browser’s address bar to access the official website directly.
- Use an ad-blocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.
The FBI recommends businesses take the following precautions:
- Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
- Educate users about spoofed websites and the importance of confirming destination URLs are correct.
- Educate users about where to find legitimate downloads for programs provided by the business.
"Think about this scenario: an incident is reported to you and you start to pull logs and information on the system. You dive in and look at what the user did and all you can see is that a page dropped malware... prior they were listening to pandora radio. Do you assume pandora was breached? you check the news and there is nothing on the topic... so what then? This creates the discord and smoke screen attackers want for casting a large net on phishing users. This is all assuming that your defensive team can even detect the malware to begin with," adds Mullins. "By asking for credentials or access, it can be even more difficult, as it is merely web traffic. There is no artifact on the machine and in a lot of instances a user might not even know they have made a mistake. This creates a more complex problem for defenders of enterprises. Non-corporate users are even more vulnerable as we are in the holiday season - a prime time to harvest important information with fraudulent pages and promises of discounts and products.”
Victim Reporting
If you believe you have been a victim of fraud or malware based on brand impersonation from search engine advertisements, report the fraud to your local FBI field office at www.fbi.gov/contact-us/fieldoffices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.
