top of page
Writer's pictureESET Expert

In plain sight: Malicious ads hiding in search results



Sometimes there’s more than just an enticing product offer hiding behind an ad.


One thing is true: Malware developers are deeply invested in improving their malware and exploring different ways to compromise end users. Malware spreading through ads is nothing new; for a long time, cybercriminals have had their sights fixed on online advertising networks as a distribution vector. 


With just a click, a person’s computer or even their entire network could become infested. And despite the continued use of ad blockers and sophisticated security software, malware spreading via ads is still a large problem — especially when they pose as ads for legitimate sites.


How does malvertising in search engines work?

Following the boom of various search engines throughout the 90s, and considering the ever-increasing encroachment of the online world on our physical daily lives, it is not surprising that ad firms would want to target such spaces.


However, among these search advertisements, one could also find malicious ones. Malvertising campaigns typically involve threat actors buying top ad space from search engines to lure potential victims into clicking on their malicious ads; attackers have delivered ads imitating popular software such as Blender, Audacity, GIMP, and MSI Afterburner, to name a few.


No SEO tricks necessary – crooks paying for search ads automatically bring their malicious page to the top of people’s search results. 

Such was the case with a Bing ad posing as a VPN service – the ad’s URL looked quite a bit like the legitimate one, with the linked website being a close facsimile of the real one. What’s more, the downloadable solution (detected by ESET as MSIL/Agent.CKL) hid a malicious payload: SecTopRAT, a remote access trojan that enables attackers to take control of browser sessions and exfiltrate data. 


A similar story appeared in 2024, in which a threat actor leveraged fake domains, masquerading as IP scanner software, and abused search ads to boost the visibility of their malicious pages.


Thus, internet users searching for particular products could encounter such cases, with only subtle clues available to discriminate between a legitimate and a malicious ad or page.


Whack-a-mole

In 2023, Google blocked or removed over 1 billion ads that had been abusing its ad network, including ads promoting malware. 


Other online advertisers are also victims. Due to the nature of the advertising business, bad actors can manipulate an entire advertising chain, compromising it in several possible ways – from buying ads and impersonating search engine providers to hacking websites and ad servers.


While search engine providers continually remove malicious ads or websites from search results, hackers are persistent and keep on finding new ways to counter content filtering, creating a game of whack-a-mole between search providers and criminals. As a result, you can never be 100% certain whether what you click on is a malicious link.


Other forms of malvertising Malicious search ads represent just one form of ad abuse by threat actors. Other types include the distribution of malignant banner ads, some even hiding bad code by using steganography, on legitimate websites. Malicious ads can also be encountered via in-text hyperlinks, popups, and more.
How to protect against malvertising

Thankfully, there are steps you can take to protect against cyber threats, and the same is true for malvertising. Here are a few:


  • Cultivating awareness is the first step toward a cybersecure life. Just the fact that you have read this blog post is one preventive measure to not fall prey to malvertising.


  • Limit browser fingerprinting, and not just because of privacy. It removes a potential way for malicious sites and actors to identify your device.


  • Use a reputable ad blocker; it’s one way to stop these ads from reaching you, and while it’s not 100% effective, in combination with our other tips, it should work well.


  • Be wary of various popups, permission requests, and other unwanted browser behavior.


  • Keep your devices and software up to date. Some vulnerabilities can be easily exploited, facilitating the work of hackers.



Of course, many more steps could be taken, but these should be enough to cover at least the basics of malvertising prevention. 


In conclusion, search engine malvertising is just another avenue for cybercriminals to proliferate threats. Moreover, it underscores how creative malware distribution can be, and showcases the need for enhanced security and threat awareness. Stay vigilant and pay attention, as even the most appealing offer can sometimes hide unexpected dangers.

Comments


bottom of page