One thing is true: malware developers are deeply invested in improving their malicious software and exploring different ways to compromise end users. The spread of malware through advertising is nothing new; for a long time, cybercriminals have set their sights on online advertising networks as a distribution vector.
With a single click, a person's computer or even their entire network could become infected. And despite the continued use of ad blockers and sophisticated security software, the spread of malware through advertisements remains a significant problem, particularly when it masquerades as advertising for legitimate websites.
How does malicious advertising work in search engines?
Following the rise of various search engines throughout the 1990s, and given the ever-increasing encroachment of the online world upon our physical daily lives, it is no surprise that advertising agencies wish to target such spaces.
However, among these search advertisements, malicious ones may also be found. Malvertising campaigns generally involve malicious actors purchasing prime advertising space on search engines to lure potential victims into clicking on their malicious ads. Attackers have distributed advertisements impersonating popular software such as Blender, Audacity, GIMP, and MSI Afterburner, to name but a few.
No SEO tricks required: scammers who pay for ads on the Search Network automatically place their malicious page at the top of users' search results.
This was the case with a Bing advertisement impersonating a VPN service – the ad's URL closely resembled the legitimate URL, with the linked website being a near-identical facsimile of the real one. Furthermore, the downloadable solution (detected by ESET under the name MSIL/Agent.CKL) concealed a malicious payload: SecTopRAT, a remote access Trojan that allows attackers to take control of browser sessions and exfiltrate data.
A similar incident emerged in 2024, in which a malicious actor exploited fake domains, impersonating an IP scanner software, and abused search advertisements to increase the visibility of their malicious pages.
Thus, internet users searching for specific products may encounter such cases, with only subtle clues available to distinguish between a legitimate and a malicious advertisement or page.
Whack-a-mole
In 2023, Google blocked or removed more than 1 billion ads that abused its advertising network, including ads promoting malware.
Other online advertisers are also victims. Due to the nature of advertising activity, malicious actors can manipulate an entire advertising chain, compromising it in several possible ways, from purchasing advertisements and impersonating search engine providers to hacking websites and advertising servers.
While search engine providers continuously remove malicious advertisements or websites from search results, hackers remain persistent and keep finding new ways to circumvent content filtering, creating a cat-and-mouse game between search providers and criminals. Consequently, you can never be 100% certain that what you click on is not a malicious link.
How to protect yourself against malvertising
Fortunately, there are steps you can take to protect yourself against cyber threats, and the same applies to malvertising. Here are a few:
- Cultivating awareness is the first step towards a cybersecure life. The mere fact that you have read this blog article is a preventive measure against falling victim to malvertising.
- Limit your browser fingerprint, and not just for privacy reasons. It removes a potential means for websites and malicious actors to identify your device.
- Use a reputable ad blocker; this is a way to prevent these ads from reaching you, and while it is not 100% effective, in combination with our other tips, it should work well.
- Be wary of various pop-up windows, permission requests, and other unwanted browser behaviors.
- Keep your devices and software up to date. Certain vulnerabilities can be easily exploited, making it easier for hackers to carry out attacks.
- Use a robust security solution with real-time protection.
Of course, many other measures could be taken, but these should be sufficient to cover at least the basics of malvertising prevention.
As an ESET partner, ST DIGITAL encourages its clients to be particularly vigilant against threats such as malvertising, a technique whereby online advertisements are used to spread malware. We strongly recommend adopting cybersecurity measures such as the use of high-performance ad blockers, frequent system updates and the installation of advanced security solutions, such as those offered by ESET. These solutions provide real-time protection against sophisticated attacks. Heightened awareness and proactive prevention are essential to effectively protect against these risks.
In conclusion, search engine malvertising is just another way for cybercriminals to proliferate threats. Moreover, it highlights how creative malware distribution can be and underscores the need for improved security and threat awareness. Stay vigilant and attentive, as even the most attractive offer can sometimes conceal unexpected dangers.