Search engine ads are not always as they seem. Cybercriminals can take advantage of the ability to precisely target potential victims, tricking them into clicking malicious links prominently displayed before the intended legitimate destination.
This blog post takes a detailed look at the increasingly sophisticated usage of the technique known as cloaking, which is used to surreptitiously direct users to malicious URLs from search adverts displaying legitimate URLs of real companies.
How does cloaking work?
For legitimate adverts displayed in search engine results pages, when the link is clicked, it directs the user to the displayed website. These adverts are ostensibly verified by ad publishers such as Google or Bing. Bing’s platform is also used by Yahoo and AOL.
The most naive use of fake search adverts displays the fake destination to the victim. If clicked, this would direct the user to the website as displayed, albeit a malicious copy of the intended destination. This makes it easy for ad publishers to automatically discover and block adverts pointing to malicious URLs using threat intelligence feeds.
Fake ads created using cloaking are different in several ways:
- When clicked, the user is sometimes taken to a different URL to the URL shown in the search results.
- The ad publisher will not necessarily know that the URL to which the fake ad directs the user is malicious, as the cloaker ensures that the publisher is directed to the displayed URL when checking the ad. The displayed URL does not contain malicious content.
- Clicking on the same advert can direct different users to different final URLs.
It is easier for users to fall victim to this type of fake ad:
- The fake ad will display a legitimate URL on the search engine results, alongside the legitimate page title, description and even Google reviews.
…