Ads on popular Search Engine are leading to Phishing Sites

Published on 2015-11-23 09:10:00 UTC by GovCERT.ch (permalink)
Last updated on 2015-11-26 14:44:40 UTC

GovCERT.ch and Reporting and Analysis Centre for Information Assurance (MELANI) are aware of an ongoing phishing campaign that is targeting a large credit card issuer in Switzerland. What makes this phishing campaign somehow unique is the way how the phishers are advertising their phishing sites: while traditionally phishing sites are being promoted through phishing emails that are usually being sent to a large audience, the phishers are using advertisements (Ads) on a popular search engine to promote their phishing sites.

How it works (Modus Operandi)

Phishers are buying so-called keywords on advertising networks at popular search engines, such as Google, Microsoft Bing or Yahoo!. These advertising networks are commonly owned and operated by the searches giants itself. Once an internet user search for a particular keyword that a publisher advertises on, the search engine displays the Ad on top of the search page, and hence before the actual search results. This is very popular, since most internet users usually just click at the first search result without caring whether the actual link they click on is an Ad or a real search result.

Below are some screenshots how such Ads on popular search engines usually look like:

An advertisement on Google Search
An advertisement on Google Search

An advertisement on Microsoft Bing
An advertisement on Microsoft Bing

An advertisement on Yahoo!
An advertisement on Yahoo!

Recently, phishers notice that they can use such advertising networks for their own purpose by advertising phishing sites on popular search engines. Using Ads on popular search engines actually has a handful benefits for phishers that makes their lives easier:

  • Phishing Ads on search engines are harder to detect for security researchers etc
  • The phisher do not have to deal with email spam filters, since no emails are involved
  • The phisher do not have to spend money and time to find and buy an email address list
  • At least some of the search engines and advertising networks are obviously not doing proper fraud-checks (or no fraud-checks at all?) before an advertisement goes live

We have first seen this particular phishing campaign in spring this year. When we first discovered the fact that the phishing campaign is running through Ads on popular search engines, GovCERT.ch got in touch with the three big players in the search engine marked. As a matter of fact, two of them were affected by the ongoing phishing campaign and where delivering malicious phishing Ads to users who are using their search engine.

While we thought that the problem was solved after we got in touch with the search giants, we saw once more an increase in phishing Ads being served by a particular search engine recently. While we have been in close contact with them to address the described phishing case, the miscreant was obviously able to create a new Ad campaign once the current campaign has been suspended / terminate by the search engine provider. Despite the fact that we asked the affected search engine to provide us additional information regarding the described phishing incidents, we unfortunately did not received any valuable information. Hence we can't say anything about the culprit, the miscreants or the success rate of this particular phishing campaign.

The future of Ads

In general, online advertising seems to have a hard stand these days. There are more people who are using so called AdBlockers these days to prevent that Ads are being rendered (and hence disabled) by the web browser. The reason why more and more internet users are using AdBlockers vary: Many of them likely just want to get rid of "annoying ads" that mess up the actual page they are visiting. However, at least some of the AdBlock users also justify the use of such tools with security concerns. As a matter of fact, advertising networks have been used heavily in the past to serve malicious code to visitors of legit website, infecting them with malware such as trojans. Just in September 2015, GovCERT.ch uncovered a large malvertisting campaign targeting a popular Swiss advertising network in Switzerland. The incident allowed cybercriminals where able to serve malicious code on dozens websites of popular news papers in Switzerland and hence could successfully infect thousands of internet users (see Swiss Advertising network compromised and distributing a Trojan).

While most corporate networks are probably blocking advertising networks on their network edge (not only because of security concerns, but also because of the additional resource consumption such as bandwidth caused by ads), it is up to each internet users whether he wants to use AdBlockers or not. While ads can sometimes be annoying, people should also consider that ads actually allows many website owners to pay their bills, and hence offer content and their services for free. Share on Twitter Share on Facebook

Back to top