{"id":8637,"date":"2024-09-03T12:00:00","date_gmt":"2024-09-03T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8637"},"modified":"2026-06-14T19:41:15","modified_gmt":"2026-06-14T16:41:15","slug":"in-plain-sight-malicious-ads-hiding-in-search-results","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2024\/09\/03\/in-plain-sight-malicious-ads-hiding-in-search-results\/","title":{"rendered":"In plain sight: Malicious ads hiding in search results"},"content":{"rendered":"<p>One thing is true: Malware developers are deeply invested in improving their malware and exploring <a href=\"https:\/\/www.zdnet.com\/article\/this-old-malware-has-been-rebuilt-with-new-features-to-use-in-ransomware-attacks\/\">different ways<\/a> to compromise end users. Malware spreading through ads is <a href=\"https:\/\/isc.sans.edu\/diary\/Malvertising\/3727\">nothing new<\/a>; for a long time, cybercriminals have had their sights fixed on online advertising networks as a distribution vector. <\/p>\n<p>With just a click, a person\u2019s computer or even their entire network could become infested. And despite the continued use of ad blockers and sophisticated security software, malware spreading via ads is still a large problem \u2014 especially when they pose as ads for legitimate sites.<\/p>\n<h2>How does malvertising in search engines work?<\/h2>\n<p>Following the <a href=\"https:\/\/www.makeuseof.com\/tag\/a-brief-history-of-search-and-how-google-came-out-on-top\/#the-search-engine-boom-1994\">boom of various search engines<\/a> throughout the 90s, and considering the ever-increasing encroachment of the online world on our physical daily lives, it is not surprising that ad firms would want to target such spaces.<\/p>\n<p>However, among these search advertisements, one could also find malicious ones. Malvertising campaigns typically involve threat actors <a href=\"https:\/\/www.cpomagazine.com\/cyber-security\/fbi-hackers-are-using-search-engine-ads-for-phishing-and-malware-distribution\/\">buying top ad space from search engines<\/a> to lure potential victims into clicking on their malicious ads; attackers have delivered ads imitating popular software such as Blender, Audacity, GIMP, and MSI Afterburner, to name a few.<\/p>\n<p>No SEO tricks necessary \u2013 crooks paying for search ads automatically bring their malicious page to the top of people\u2019s search results. <\/p>\n<blockquote>\n<p>Related: <a href=\"https:\/\/www.welivesecurity.com\/2021\/08\/11\/iiserpent-malware-driven-seo-fraud-service\/\">IISerpent: Malware-driven SEO fraud as a service<\/a><\/p>\n<\/blockquote>\n<p>Such was the case with a Bing ad posing as a VPN service \u2013 the ad\u2019s URL looked quite a bit like the legitimate one, with the linked website being a close facsimile of the real one. What\u2019s more, the downloadable solution (detected by ESET as MSIL\/Agent.CKL) hid a malicious payload: <a href=\"https:\/\/www.threatdown.com\/blog\/bing-ad-for-nordvpn-leads-to-sectoprat\/\">SecTopRAT<\/a>, a remote access trojan that enables attackers to take control of browser sessions and exfiltrate data. <\/p>\n<p>A similar story appeared in 2024, in which a threat actor leveraged fake domains, masquerading as <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/malvertising-campaign-targeting-it-teams-madmxshell\">IP scanner software<\/a>, and abused search ads to boost the visibility of their malicious pages.<\/p>\n<p>Thus, internet users searching for particular products could encounter such cases, with only subtle clues available to discriminate between a legitimate and a malicious ad or page.<\/p>\n<h2>Whack-a-mole<\/h2>\n<p>In 2023, Google blocked or <a href=\"https:\/\/blog.google\/products\/ads-commerce\/google-ads-safety-report-2023\/\">removed more than 1 billion ads<\/a> that had been abusing its ad network, including ads promoting malware. <\/p>\n<p>Other online advertisers are also victims. Due to the nature of the advertising business, bad actors can manipulate an entire advertising chain, compromising it in several possible ways \u2013 from buying ads and <a href=\"https:\/\/cybernews.com\/security\/google-being-impersonated-on-google-ads\/\">impersonating search engine providers<\/a> to hacking websites and <a href=\"https:\/\/www.zdnet.com\/article\/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads\/\">ad servers<\/a>.<\/p>\n<p>While search engine providers continually remove malicious ads or websites from search results, hackers are persistent and keep on finding new ways to counter content filtering, creating a game of whack-a-mole between search providers and criminals. As a result, you can never be 100% certain whether what you click on is a malicious link.<\/p>\n<blockquote>\n<h3>Other forms of malvertising<\/h3>\n<p>Malicious search ads represent just one form of ad abuse by threat actors. Other types include the distribution of malignant banner ads, some even hiding bad code by <a href=\"https:\/\/www.welivesecurity.com\/2016\/12\/06\/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads\/\">using steganography<\/a>, on legitimate websites. Malicious ads can also be encountered via in-text hyperlinks,<a href=\"https:\/\/www.comparitech.com\/antivirus\/how-to-avoid-pop-up-viruses\/\"> popups<\/a>, and more.<\/p>\n<\/blockquote>\n<h2>How to protect against malvertising<\/h2>\n<p>Thankfully, there are steps you can take to protect against cyber threats, and the same is true for malvertising. Here are a few:<\/p>\n<ul>\n<li>Cultivating <strong>awareness is the first step<\/strong> toward a cybersecure life. Just the fact that you have read this blog post is one preventive measure to not fall prey to malvertising.<\/li>\n<li><strong>Limit <a href=\"https:\/\/www.welivesecurity.com\/en\/privacy\/fingerprints-all-over-can-browser-fingerprinting-increase-website-security\/\">browser fingerprinting<\/a><\/strong>, and not just because of privacy. It removes a potential way for malicious sites and actors to identify your device.<\/li>\n<li><strong>Use a reputable ad blocker<\/strong>; it\u2019s one way to stop these ads from reaching you, and while it\u2019s not 100% effective, in combination with our other tips, it should work well.<\/li>\n<li><strong>Be wary<\/strong> of <a href=\"https:\/\/www.eset.com\/blog\/consumer\/getting-rid-of-unwanted-browser-notifications\/\">various popups<\/a>, permission requests, and other unwanted browser behavior.<\/li>\n<li><strong>Keep your devices and software up to date<\/strong>. Some vulnerabilities can be easily exploited, facilitating the work of hackers.<\/li>\n<li>Use a <strong>strong security solution<\/strong> with <a href=\"https:\/\/www.eset.com\/int\/home\/protection-plans\/\">real-time protection<\/a>.<\/li>\n<\/ul>\n<p>Of course, many more steps could be taken, but these should be enough to cover at least the basics of malvertising prevention. <\/p>\n<p>In conclusion, search engine malvertising is just another avenue for cybercriminals to proliferate threats. Moreover, it underscores how creative malware distribution can be, and showcases the need for enhanced security and threat awareness. Stay vigilant and pay attention, as even the most appealing offer can sometimes hide unexpected dangers.<\/p>\n<blockquote>\n<p>Before you go: <a href=\"https:\/\/www.welivesecurity.com\/2018\/02\/23\/six-tips-avoid-targeted-marketing\/\">Six tips to help you avoid targeted marketing<\/a><\/p>\n<\/blockquote>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/malware\/in-plain-sight-malicious-ads-hiding-in-search-results\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sometimes there\u2019s more than just an enticing product offer hiding behind an ad<\/p>\n","protected":false},"author":5,"featured_media":8640,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[147],"tags":[],"class_list":["post-8637","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8637","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8637"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8637\/revisions"}],"predecessor-version":[{"id":9293,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8637\/revisions\/9293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8640"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8637"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8637"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}