Updated on November 7 with new government cybersecurity agency guidance on malware infecting legitimate online ad campaigns.
With “tens of millions of dollars” stolen from “hundreds of thousands” of web users, a serious warning has just been issued for the billions of users of the most popular web browsers. Google has removed known websites from search results, but that will not eradicate links elsewhere, on social media and messaging platforms. It is critical all users know what to look for. Put very simply—you must not use these websites.
Human Security’s Satori researchers warn that threat actors “drove traffic to fake web shops by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer. When a consumer clicks on the item link, they’re redirected to another website, this one controlled by the threat actor.”
On the dangerous website itself, users would be directed to a legitimate payment processing platform to buy their chosen product. That product would never arrive, of course, but the money would certainly be taken. While many consumers may be protected from the ultimate financial cost through credit card chargebacks, that’s never guaranteed until a claim is investigated.
In the campaign most recently outed, bad actors “infected more than 1,000 websites to create and promote fake product listings and built 121 fake web stores to trick consumers… estimating losses of tens of millions of dollars over the past five years, with hundreds of thousands of consumers victimized.”
So, what can you look for to avoid seeing your money disappear into a black hole:
- Product deals that look too good to be true usually are, if a bargain is being offered below market rates, do not proceed unless you can verify the site
- Check consistency between website names and the names that appear in popups, payment processing windows and the URL. This specific campaign infected legitimate websites and then redirected elsewhere
- Does the ordering process feel fully legitimate—does it have the autofill address details for example, does it check, the quality if data you enter
- If this is a website you have not used before, check reviews carefully—remember they can be fake, and look for known website reviews of the site
- Can you find the product on a known website, even if more expensive
This campaign, dubbed “phish and ships” by the research team, included a number of sophisticated touches—metadata to hit the top of search results, albeit Google has removed those known to be fraudulent. By infecting legitimate websites, in this instance users would be lulled into a false sense of security initially, but the redirect to a fake web store is when alarm bells should start to ring.
A list of all known fake websites can be found here, some of which remain active despite the known treats per this latest report.
“This operation underscores the relationship between the digital advertising ecosystem and fraud,” Satori says. “Without the threat actors’ staged fake organic and sponsored product listings, there would have been no traffic to the fake web stores and therefore, no fraud. A key takeaway from Phish ‘n’ Ships is that digital advertising can be dangerous, and consumers should exercise caution when clicking through to the next step in a digital journey.”
Users of all major browsers fall victim to such attacks. The research team warns that “Phish ’n’ Ships remains an active threat,” albeit Google’s takedown has “partially disrupted” its threat. “It’s unlikely the threat actors will pull the plug on their work without trying to find a new way to perpetuate their fraud.”
When it comes to dodgy search results driving dangerous phishing attacks, there’s another nasty new twist that’s just come to light. Malwarebytes warns that “a new wave of phishing for banking credentials [is] targeting consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result.”
Microsoft’s share of search pales when compared to Google’s, albeit just as with its ongoing campaign to push Chrome users to Edge, it’s now putting its hands deep into its pockets to do the same with Bing, with a new $1m giveaway.
“While Microsoft’s Bing only has about 4% of the search engine market share,” Malwarebytes says, “crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one.”
This dangerous new campaign has managed to inflate search signals for new, malicious sites, tricking users into clicking high-up search results for common keywords. “A malicious link is displayed as the first result and pretends to be Keybank’s login page… Attackers are abusing Bing’s search algorithms.”
Users clicking links are redirected to malicious websites crafted for the campaign, this uses the official branding of the lure to further trick users. The intent is simply to harvest identities, login credentials and passwords. The attackers have even found ways in which they can collect MFA codes to facilitate logins.
Just as with the “Phish and Ships” attack, this socially engineered manipulation of search results allied with trickery behind the scenes to move traffic from legitimate sites to malicious ones is clearly effective, netting attackers millions.
The worry for users will be the surge soon expected in AI based search, which is not only a threat to established search engines but also to users who don’t have the long-term defense mechanisms and ‘spidey senses’ to see attacks coming. Ironically, we’ve also just seen a phishing attack purporting to come from OpenAI itself, which hammers home that brave new world point. Buyers beware.
Another serious website fraud warning has been issued in the wake of this report from Human’s Satori researchers. The UK government’s cybersecurity agency has just warned that “digital advertising is fundamental to the digital economy and depends on the interactions between those selling advertising space and those buying it, often in real time. But this can be abused and result in malicious advertising, or malvertising, which can include malware. This can lead to fraud and undermines trust in the digital advertising industry.”
In a new advisory that brings “guidance for brands to help advertising partners counter malvertising,” NCSC warns legitimate companies that digital ad campaigns can expose their customers to fraud if the organizations running those campaigns either deliberately or inadvertently introduce fraudulent technologies into the mix.
“The organizations helping to deliver your campaigns should be taking action to prevent harm to users,” it says. “You also want assurance that the adverts appearing on the same sites and pages as your own are reputable and trustworthy. You can support the wider effort here by demanding effective malvertising detection and removal services across an intermediary’s advertising assets and publisher’s landing pages. This is a continuous process, which should apply before and throughout an advertising campaign.”
Just as with “Phish and Ships,” where legitimate commerce websites are infected to bring some legitimacy to malicious campaigns, the risk in digital ads is that trusted brands are used to mask threats and socially engineer an attack chain that lures users into the initial steps that ultimately lead to fraud or credential theft.
NCSC says that “advertisers, publishers and advert networks should collaborate to share threat intelligence. By pooling information about emerging threats, it is possible to respond faster to new attacks and proactively prevent an attack that is detected on one platform also appearing on others.”
This is all about the real-time nature of the web, and just as with the manipulated Bing search results, attacks can be difficult to trap because they’re here and then gone in an instant. It’s the core workings of the system itself being manipulated.
For any organizations designing campaigns and buying ads, the cybersecurity agency urges that ad intermediaries are able to demonstrate the following five steps to make the task harder for threat actors:
- how they handle malvertising detection and removal services
- the vendor they use, if any, to detect and remove malvertising, and whether this includes ‘cloaking’, where the harmful nature or destination of an advert is hidden
- the scope of their assets where scanning, detection and removal are in place
- how they monitor for any changes during the lifecycle of an ad campaign
- how an attack, if one happens, is escalated and investigated
“The organizations helping to deliver your campaigns should be taking action to prevent harm to users,” the agency says. “You also want assurance that the adverts appearing on the same sites and pages as your own are reputable and trustworthy.”