It’s called “malvertising,” and if you’re not vigilant at spotting it, you could get burned.
Washington Post reader Jack Wells wrote to me recently after a fright. “I am afraid I may have been hacked this morning, and I wonder if you could offer any advice on how to deal with it,” he wrote.
Here’s what happened: Wells had gone to DuckDuckGo, the privacy-focused search engine I also use, and typed “Citibank login” in the hopes of visiting the banking portal. The first item appeared to be an ad for the Citibank log-in page, so he clicked on it.
Strangely, Wells got taken to a blank screen. So he hit the back button and discovered he was on a page whose actual address ended in “.ru” (for Russia) and was most definitely not Citibank.
It appears Wells had fallen for a scam search ad used to trick people into inadvertently handing over their passwords or downloading malware. When I asked DuckDuckGo about his experience, spokeswoman Allison Goodman said the company wasn’t able to re-create it, but it suspects he may have clicked on an ad link that now had been removed.
“We’ve seen this happen very rarely; scammers evolve their tactics and spin up and take down sites regularly to avoid getting onto blacklists,” she said. The ads on DuckDuckGo are run by Microsoft, which also places them on its own Bing search engine.
“We take misleading or fraudulent ads very seriously,” emailed Microsoft spokeswoman Caitlin Roulston. “Microsoft bans such content, including what can be reasonably perceived as being deceptive, fraudulent, or harmful to site visitors.”
Now the really bad news: Scam search ads are not just a problem on DuckDuckGo and Bing. They’re also a problem on Google, the world’s most-used search engine. There are ads for fake banks, fake sites for the IRS and other government agencies, as well as fake crypto wallets, just to name a few.
In August, Sen. Richard Blumenthal (D-Conn.) wrote in a letter to Google chief executive Sundar Pichai that the search giant has demonstrated a “troubling record of inadequate due diligence against fraud and abuse” in ads. His letter cited a 2021 investigation by my colleague Jeremy Merrill finding that advertisers impersonated government websites. Google said it had taken down these kinds of forbidden ads, but then the senator’s office checked and found similar ads were still popping up — suggesting that Google’s countermeasures weren’t very effective. (Merrill found similar problems with DuckDuckGo’s Microsoft ads.)
In July, researchers at Malwarebytes reported how unsuspecting Google users searching popular keywords — including “youtube” — could click an ad and have their browser hijacked with fake warnings urging them to call fake Microsoft agents for support. And in 2021, Check Point Research identified a Google-ad phishing campaign that had resulted in at least half a million dollars worth of cryptocurrency being stolen.
How does this even happen? The core issue is that many search ads are sold through self-service systems, where advertisers don’t necessarily need to be authorized or have their links checked by humans. The bad guys sometimes try to create thousands of accounts simultaneously, in the hopes that a few get through.
The companies claim they are on top of the problem.
“When we become aware of these instances, we take action to remove them as soon as possible,” Microsoft spokeswoman Roulston said. “We then apply the feedback into our detection mechanisms to improve our ability to detect and remove similar ads in the future.”
“We are always working to stay ahead of bad actors, some of whom employ sophisticated measures to conceal their identities and evade our policies,” Google spokesman Davis Thompson said in an email. “People deserve to feel safe on our platforms and we’ll continue to enhance our enforcement practices to combat abuse and fraud.”
Like what? Thompson said in recent years Google has launched new certification policies, ramped up advertiser verification, and increased the company’s capacity to detect and prevent coordinated scams. But he wouldn’t say what percent of the company’s advertisers are now verified.
We also still don’t know how big the problem is. In 2021, Google says it blocked or removed 38.1 million ads for “misrepresentation” and 58.9 million ads for violating its financial services policies, both before and after they ran. Microsoft would not say how many scam ads it removes.
So what can you do about scam ads?
It starts with awareness. Many of these attacks are trying to exploit a very common online behavior: looking up a website by name instead of entering its full URL in the address bar. So get in the habit of typing it all out yourself into your browser — instead of typing “citibank login,” type out citi.com in its entirety.
Another suggestion: Save browser bookmarks for the sites you use most often.
I am personally in the habit of not clicking search ads. If you look further down the page below the ads, you will find the real search results which have been selected and ordered for their popularity and actual usefulness. And if you install an ad blocker in your browser, you won’t see any ads at all — good or bad.
What should you do if you think you have clicked on one of these bad ads? For Wells, I recommended a two-step plan that is similar to what I would advise anyone who thinks they might have been hacked.
First, I suggested he scan his computer for viruses and malware. That is important whether you’re using Windows or a Mac. I use Malwarebytes, which is available as a free download (or, if you subscribe to it, as a permanent shield). It will find and quarantine bad software you may have downloaded.
Second, I suggested he change his bank password. Bad guys phishing for log-in information is probably the No. 1 risk for most people online. The security mistake many people make is reusing passwords on different sites, apps and services. That’s a problem because if the bad guys get one of your passwords, they will try using it to access your accounts, data and maybe even money elsewhere.
The only practical solution is to use a different password everywhere and to keep track of them in a program known as a password manager. The good ones are generally safe to use and not as annoying as you might think.
After we had gotten him sorted, Wells told me the experience would change his online behavior. “I hadn’t really expected scams to show up on online searches, but now that I know they can, I will be on the lookout for them,” he said.
