Scammers Are Bypassing Google Ad Checks

Scammers are bypassing Google ad checks to impersonate real brands.

Google seems to have a problem with brand impersonation. For example, some ads on top of the search results bar appear to be the real Facebook but lead to scams, users have found. Malicious actors have found a way to trick Google’s bots.

You open Chrome, type Facebook, and the Google search page opens. You then click on the top result. Instead of the social network, you’re redirected to a malicious website saying that your computer is infected.

Justin Poliachik, a developer and creator on TikTok (@j_poli), shared his experience as he clicked on an ad that had an official Facebook URL and appeared to link to a standard Facebook login page. The sponsored post appears at the top of the search results.

“I ran into this interesting issue on Google the other day, where I got an ad that was a completely fraudulent phishing site,” he said. “So my first reaction was. How does Google ever allow this to happen? They should not allow ads to be posted that link to phishing sites. And it turns out it’s a little more nuanced than that.”

While anyone can pay for an ad to be at the top of the search results, Poli suspects that scammers have found a way to bypass security checks by looking out for and tricking Google’s trackers.

“If Google’s trackers visit your site, you redirect to Facebook, so Google thinks, Hey, it’s good, this is legit. But then, if any normal user comes, you can redirect them to the phishing site instead. And these ads usually don’t last long because they’re usually expensive, and people report them,” Poliachik guessed.

His results were repeated by security researchers at Malwarebytes Labs.

“Such malvertising attacks are not new, and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive home the point that this needs to be addressed just like other types of fraud or malware,” they said.

According to researchers, all malicious actors need is to be able to distinguish real humans from bots or crawlers to bypass Google’s security measures.

“Cloaking allows them to deliver two different experiences. Genuine humans can be detected from a number of factors: IP address, browser fingerprinting, etc. A click-tracking service can be used to analyze traffic, collect data, etc.,” Malwarebytes said. “They can also easily be abused by bad actors. Within the Google ad ecosystem, advertisers will place their URL as a tracking template, and the rest will be handled outside of Google.”

Scammers can chain redirects to “legitimate” domains they control and, from there, decide the final destination the user lands.

For bots, it may be something legitimate, like the real Facebook. And for real users, a fraudulent website.

Poliachik thinks that Google needs to “use more AI and check the links more often.” However, researchers doubt that would help.

“We don’t believe AI is going to fix Malvertising, at least not for the next little while,” Malwarebytes said.

Instead, according to them, Google could differentiate a legitimate affiliate by a number of data points about the advertiser, such as the user profile, payment method, budget, and, more importantly, the ad itself. Here, it could check things like the vanity URL, display text, tracking template, final URL, and what happens when you click on the ad.

“Are you actually redirected to the URL claimed in the ad? This is a feature that appears to be so easy to abuse and yet remains unfixed,” the researchers said.

Unfortunately, most users won’t take the time to check who the advertiser is, and they shouldn’t have to. Users should beware of sponsored results, block ads altogether, and learn to recognize scam pages, Malwarebytes recommends, together with using the Guard extension.

Just read: Scammers Are Bypassing Google Ad Checks