Google Ads and Malware – What You Should Know

Google ads and malware - what you should know is text over a picture of a person who is supposed to be a computer hacker.

Ads, whether in online videos, websites, or television, can be annoying. In fact, you probably have some sort of software or browser extension installed for the sole purpose to block ads right now. I know at home, I often will record a television program on a DVR or delay streaming it just so I can skip the advertisements.  

The point is, most of us do not like ads. 

That is true when it comes to results on a search engine as well. Whether they are listed as ads or sponsored results, we still tend to avoid them. The data proves that: 

Google search results for a customer relationship manager software, showing the percentages of clicks on ads and organic results.
Click-through-rates by position

As you can see, data from 2022 shows that the first position Google ad placement gets about 2.1% of the clicks for a search query, while the organic positions dominate the majority of the traffic. 

Still, paid ads in search results can be effective. But a recent danger has surfaced that is troubling – more and more Google ads are taking clickers to malware distributing websites instead of what they click on. 

What can you do to protect yourself, not only as a searcher but as a business who uses paid ad campaigns? We are here to help! 

Google Ads – The Latest Malvertising Campaign 

What is “malversating”? Well as you might have guessed, malversating is short for “malicious advertising”, specifically involving the use of online advertising to spread malware. This is typically done by injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. 

In the case of Google Ads, a user searches for software or cryptocurrency for example and will see the promotion first due to Google placing paid ads high on the SERP (search engine results page). Typically, if Google detects that the site the ad points to is malicious, the campaign will be blocked, and the ads will be removed. 

But just like how the lock on your door to your home or car only keeps honest people out, the malicious threat actors have workarounds to accomplish their objective. While you may have assumed a paid ad is going to be safe to click, unfortunately this is not always the case as we will see. 

The trick is to take the victim who clicks on the ad to an irrelevant, but benign, site created by the threat actor, which then redirects them to a malicious site impersonating the software product or whatever the search was for. The page loads, the trigger fires, and the payload is discharged on the victim’s computer. 

The payload is downloaded from a reputable file-sharing or code-hosting service, such as GitHub or Dropbox, ensuring that any anti-virus programs or similar “in flight” protection services will not block it. A nice visual example of this is provided by Guardio Labs.

Flowchart example of someone clicking on a Google ad and being redirected to a different website.
Example of AdWord redirection and Malware (Guardio Labs)

As you can see, the majority of users would never know this is going on before it is too late. 

But there is good news! There are steps you can take to protect yourself from accidently clicking on a malware laden link in a Google Ad result. And if your business runs paid ad campaigns, there are things you consider and check to ensure that whoever is managing your ad campaigns isn’t involved in this in some way either. 

Are Google Ads Safe? Well, it Depends! 

Generally speaking, the majority of links that appear as Google Ads in search results are safe. But of course, all it takes is one bad experience with a malicious link to sour your opinion. So, when something gets past the safety protections that are in place, what steps can you take to help to protect yourself? 

Consider some suggestions for general users: 

  • Before clicking on an advertisement, check the URL to make sure the site is authentic. Using a technique known as “typosquatting”, a malicious domain may appear to be similar to the intended, legitimate domain, but with typos, numbers in place of letters, or a misplaced letter. 
  • If you happen to know the business name beforehand, instead of searching for them you could just go to their known web domain directly. Of course, if you know what you are looking for you typically wouldn’t need to search for them, but the point is still valid. 
  • Use an ad blocking browser extension. Or if that does not meet your requirements, there are extensions that can validate the destination of the link in the results before you click on it. 

For businesses, you should consider these suggestions: 

  • Use domain protection services to get notifications when similar domains to yours are registered. This can help to prevent domain spoofing and having your online reputation impacted. 
  • Closely monitor the ad campaigns for your business. Intentionally done or not, being a part of a malicious event like those described here can cause reputation damage and ruin customer sentiment. 
  • Take the time to educate your users about spoofed websites and the importance of double-checking destination URLs to make sure they are correct before they click.  
  • Educate users about where to find legitimate downloads for programs provided by the business. If they run across something that does not look right, give them appropriate steps to immediately take to try and mitigate any issues before they become major problems. 

You can also read these suggestions and other details in the FBI public service announcement about this topic. 

Risk Aware, One Way or Another 

In 2022, Google topped the list of major advertising revenue companies with $168.44 billion.

Large businesses routinely spend thousands of dollars per month on ads on Google’s systems. Even with as little of the traffic share the data shows that it attracts, clearly there is value to the prime real estate on the search results page. The problem is that the malicious bad actors know this too. 

Whether you are a small business owner, a college student, or an “average Joe”, cyberthreats are abundant and cybersecurity concepts are an absolute must to have, no matter who you are. While there are intelligent security measures in place to protect users, those measures are only as good as the known methods to thwart them. The reality is that if you are not risk aware, you can become the victim of a computer virus or malware event if you stumble upon a malicious Google Ad. 

Hopefully the information and the suggestions discussed in this article will help you be safe and maybe enlighten you to some of the current risks with Google Ads.