Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on November 23, 2015 09:10 UTC by GovCERT.ch (permalink) Last updated on November 26, 2015 14:44 UTC
GovCERT.ch and Reporting and Analysis Centre for Information Assurance (MELANI) are aware of an ongoing phishing campaign that is targeting a large credit card issuer in Switzerland. What makes this phishing campaign somehow unique is the way how the phishers are advertising their phishing sites: while traditionally phishing sites are being promoted through phishing emails that are usually being sent to a large audience, the phishers are using advertisements (Ads) on a popular search engine to promote their phishing sites.
Phishers are buying so-called keywords on advertising networks at popular search engines, such as Google, Microsoft Bing or Yahoo!. These advertising networks are commonly owned and operated by the searches giants itself. Once an internet user search for a particular keyword that a publisher advertises on, the search engine displays the Ad on top of the search page, and hence before the actual search results. This is very popular, since most internet users usually just click at the first search result without caring whether the actual link they click on is an Ad or a real search result.
Below are some screenshots how such Ads on popular search engines usually look like:
Recently, phishers notice that they can use such advertising networks for their own purpose by advertising phishing sites on popular search engines. Using Ads on popular search engines actually has a handful benefits for phishers that makes their lives easier:
We have first seen this particular phishing campaign in spring this year. When we first discovered the fact that the phishing campaign is running through Ads on popular search engines, GovCERT.ch got in touch with the three big players in the search engine marked. As a matter of fact, two of them were affected by the ongoing phishing campaign and where delivering malicious phishing Ads to users who are using their search engine.
While we thought that the problem was solved after we got in touch with the search giants, we saw once more an increase in phishing Ads being served by a particular search engine recently. While we have been in close contact with them to address the described phishing case, the miscreant was obviously able to create a new Ad campaign once the current campaign has been suspended / terminate by the search engine provider. Despite the fact that we asked the affected search engine to provide us additional information regarding the described phishing incidents, we unfortunately did not received any valuable information. Hence we can't say anything about the culprit, the miscreants or the success rate of this particular phishing campaign.
In general, online advertising seems to have a hard stand these days. There are more people who are using so called AdBlockers these days to prevent that Ads are being rendered (and hence disabled) by the web browser. The reason why more and more internet users are using AdBlockers vary: Many of them likely just want to get rid of "annoying ads" that mess up the actual page they are visiting. However, at least some of the AdBlock users also justify the use of such tools with security concerns. As a matter of fact, advertising networks have been used heavily in the past to serve malicious code to visitors of legit website, infecting them with malware such as trojans. Just in September 2015, GovCERT.ch uncovered a large malvertisting campaign targeting a popular Swiss advertising network in Switzerland. The incident allowed cybercriminals where able to serve malicious code on dozens websites of popular news papers in Switzerland and hence could successfully infect thousands of internet users (see Swiss Advertising network compromised and distributing a Trojan).
While most corporate networks are probably blocking advertising networks on their network edge (not only because of security concerns, but also because of the additional resource consumption such as bandwidth caused by ads), it is up to each internet users whether he wants to use AdBlockers or not. While ads can sometimes be annoying, people should also consider that ads actually allows many website owners to pay their bills, and hence offer content and their services for free.
Back to top
