Hackers are increasingly using online ads for malicious purposes. Often, it’s happening through routine Google searches.

These schemes are dubbed malvertising, and cyber criminals are striking more often and with increased sophistication. In fall 2023, cybersecurity software firm Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the U.S. All types of brands are being targeted, whether it’s for phishing purposes or for actual malware, said Jérôme Segura, senior director of research at Malwarebytes. “What I’m seeing is just the tip of the iceberg,” he said.

Many of these rogue ads appear as sponsored content during a search engine query on a desktop or mobile device. But malicious code can also be hidden in ads that appear on mainstream websites consumers routinely visit. Some of these ads will only ensnare consumers who click on them, but in some cases, people can be vulnerable in a more passive way — sometimes just by visiting an infected site, said Erich Kron, security awareness advocate for KnowBe4, a security awareness and training company. 

Corporate employees can also be targets of malvertising, Segura said. He cited a few actual examples that were recently uncovered involving big companies. Lowe’s staff members were targeted via a Google ad for an employee portal claiming to be associated with the retailer. Clicking on the link, “myloveslife.net,” which contains a misspelling of the company’s name, took users to a phishing page with Lowe’s logo. This had the potential to confuse employees since many don’t know offhand the URL for their internal website. “You see the brand, even the official logo of that brand, and for you it’s enough to think it’s real,” Segura said.

Segura also cited an ad meant to impersonate Salesforce-owned communication tool Slack. Initially, by clicking on the ad, he was redirected to a price page on Slack’s official website. But suspecting bad actors were at play, Segura dug deeper and uncovered an impersonation ploy, which involved trying to convince unsuspecting users to download something purporting to be the Slack app.

It’s not Google’s fault, but don’t trust it

Malvertising is not new, but cybercriminals are getting smarter and the ads are often so realistic that it’s easy to be duped. The problem is exacerbated by the fact that so many people use and trust Google as a search engine, where many of the malicious ads can be found. It’s not a problem with Google, per se; malicious ads can also show up in queries using other search engines like Microsoft’s Bing. It’s just that Google is such a widely used search engine and people trust it and let their guard down. “You see something appearing on a Google search, you kind of assume it is something valid,” said Stuart Madnick, professor of information technology at MIT Sloan School of Management. 

Consumers can also fall prey to malicious ads on trusted websites they visit regularly.  Many of these ads are legitimate, but some bad ones can slip through the cracks. “It’s like the post office. Does the mailman check every letter you get to make sure it’s really from Publishers Clearing House?” Madnick said.

Be very careful about where and when you click

Consumers can take steps to protect themselves against malvertising attempts. For instance, they should avoid clicking on sponsored links that come up during an internet search. Often, the first ad below the sponsored one will be the product they are looking for, and since it isn’t sponsored, there’s less chance of being sidelined by malicious code or a phishing attempt.

If you do click on a sponsored link, check the URL at the top of the web page to make sure it’s really where you meant to be before taking any other actions. For example, if you’re trying to visit Gap.com, make sure you’re not really on Gaps.com. Consumers who find themselves on a suspicious site should close the window immediately, said Avinash Collis, assistant professor at Carnegie Mellon University’s Heinz College. In most cases, this will avoid further trouble, he said.

Consumers also need to be careful about clicking ads they see on trusted websites, Kron said. They may, for instance, see ads for products that are much lower in cost than elsewhere. But Kron recommends not clicking and instead visiting the trusted website of the product seller. Most of the time, consumers will be able to search on the provider’s site if a special deal exists, or the deal will be highlighted on the main page of the trusted website, he said.

Also avoid calling a telephone number listed in a sponsored ad because it could be a fake telephone number. If you call it, cyber thieves could gain access to your computer or your personal information, depending on the scheme, said Chris Pierson, CEO of BlackCloak, a cybersecurity and privacy platform that provides digital executive protection for corporate executives.

Consumers should make sure they are calling a number from official product documentation they have in their possession, Pierson said. Alternatively, consumers could visit the company’s home page for this information. “Doing a [web] search could return results that are not sponsored by the company and telephone numbers that are associated with cybercriminals. All it takes to get an ad out there is money and, of course, cybercriminals that are stealing money, have the ability to pay for that bait,” Pierson said. 

Avoid ‘drive-by-downloads’

Consumers should also make sure the operating system and internet browsers are up-to-date on their computer and mobile phone. 

So-called drive-by-downloads, which can impact people who merely visit a website infected with malicious codes, generally rely on a vulnerability in the user’s browser. This is not as much of a threat for people who keep their browsers and browser extensions up-to-date, Kron said. 

Consumers could also consider installing anti-malware software on their computer and phone. Another option is to avoid ads by installing an ad blocker extension such as uBlock Origin, a free and open-source browser extension for content filtering, including ad blocking. Some consumers may also opt to install a privacy browser such as Aloha, Brave, DuckDuckGo or Ghostery on their personal devices. Many privacy browsers have embedded ad blockers; consumers may still see sponsored ads, but they will see fewer of them, which minimizes the chances of malvertising. 

Consumers who come across suspicious ads should report them to the applicable search engine for investigation and removal if deemed malicious, Collis said. This can help protect other people from being ensnared. 

Proper safety precautions are especially important since there are millions of ads on the internet and cyber thieves are relentless. “You should assume that this could happen to you no matter how careful you are,” Madnick said.