This article follows on from our previous blog article, ‘What is Malvertising?’, where we discussed the different types of malvertising that are used by cyber-criminals.
Paid Ads using Google AdWords
Back in May 2015, Trend Micro threat analysts found that cyber criminals were using paid ads to attack customers of a popular Cloud Service Provider.
At that time, if users did a Google Search for “Amazon console” or “Amazon Web Services”, they were presented with a paid ad at the top of the search results. Clicking on the link, redirected users from the displayed link (aws.amazon.com) to an AWS phishing website, which attempted to collect the login details for existing AWS customers.
Figure 1 – Search results for Amazon Google Search
The phishing website was cleverly put together. The URL started with “aws.amazon.com” to imitate the original Amazon Web Services (AWS) web page. The sub-domain was “linkclick”, and “amazon” was greyed out in the address bar. If users were not paying attention, they would have seen Amazon at the top of the page and think they were on the legitimate site.
Another difference was the Baidu icon, found at the bottom page, which was added by the hacker to provide reports on visitors to the site.
Figure 2 – AWS Phishing site
The Trend Micro analysts reported that the login form had been modified, so that any data entered into the fields was sent directly to the cyber criminals, instead of Amazon.
How online advertising works
Google launched their AdWords product in October 2000 allowing businesses to pay for the top spot on Google Searches. They use an automated bidding system, provided by Ad Networks, like Double-Click, and the big issue is that neither these companies, nor Google, monitor the Ads that are being displayed.
Cyber criminals have learnt how Google AdWords works, and when someone searches for ABC Bank, for example, they want it to take that person to their phishing page, and they are willing to pay top dollar for it.
All the hacker has to do is create an account with the provider (e.g. Google AdWords), and then specify the particular regions and keywords they want to advertise under. This is known as Search Engine Optimisation (SEO). They then write their ads and set a budget for their keywords, and the provider will keep the ad published for as long as it is within their budget. The hackers use the ad space and to upload their malicious ad and typically use stolen credit cards to pay for it.
Malvertising-attacks are extremely hard to detect, as they are set up for a certain search word, making the possibilities extensive. If you search for “ABC Bank”, you might go to the normal page, but if you type in “ABC Bank Login Page”, you might go to phishing page. Search results are also location-dependent, so every country returns a different page of results.
It is not currently possible to stop this method of Malvertising occurring as the process of setting up these search engine keywords is automated. FraudWatch International can however, respond to the attacks to have the phishing content shut down as soon as possible thus mitigating the threat.
The abuse of AdWords puts both the Google searchers and the advertisers themselves in jeopardy. Customers of Amazon’s web services are at risk of having their Cloud credentials stolen if they accidentally login to their AWS account using a phishing page. It might also affect the Amazon brand, if customers don’t feel secure when using their products and services.
Stay tuned in the coming weeks for information on another type of malvertising, known as “Drive-by Downloads”.