When AdWords Attack: Another Method of Phishing

AdWords phishing schemes
Share Button

Cybercriminals are taking advantage of the effectiveness of Google AdWords and are using the ads for phishing schemes.As recently as two years ago, more than a third of Google users didn’t realize that Google AdWords are ads. Maybe that explains how a 2014 survey by the UK consultancy firm Bunnyfoot found that 81 percent of Internet users clicked on Google AdWords rather than the organic search results just below.

The sheer number of people clicking on ads every minute of every day has made them an attractive target for a variety of AdWords-related attacks. These attacks are just another example of criminals obtaining sensitive information through phishing, and more specifically, spear phishing. While the individual payoffs may be relatively small, the real reward is in the data these attackers glean. In these instances of malvertising, users who inadvertently click on a fake ad (Figure 1) may find themselves redirected to a fraudulent site, where they unwittingly enter their credit card number and personal information. This information can be used for card-not-present fraud, but more profitably, can be used to launch targeted spearphishing attacks down the road.

AdWords phishing schemes
Figure 1

Part of the attraction (and the problem) with AdWords fraud lies in the relative ease of use from the attacker’s perspective. With just the most basic of information, attackers can buy AdWords in Google (Google doesn’t require any proof that you are the owner of the brand), create an ad, and redirect users to a fraudulent site. In many cases, the fraudulent URL is similar the real one, making it virtually impossible for users to see that they are about to be scammed, assuming they even know where to look.

And it’s not only Google AdWords that are susceptible. The same can be said for Bing, AOL and Yahoo. In fact, attackers prefer Bing because they can mask their fraudulent URL, meaning users never even know they’ve clicked on a fake ad.

End users aren’t the only ones harmed by these–enterprises can suffer not only from damaged reputations as a result of attacks masquerading as their brand, but their employees can just as easily fall prey to these attacks, opening the door to fraud and more serious network attacks. A recent study of ours found that phishing attacks have become the smash-and-grab street crime of the Internet with phishing costing businesses more than $2 billion a year in lost revenue. Aside from the lost revenue, organizations that fall victim to attacks leveraging their brand may never regain their customers’ trust (See Figures 2 & 3 below).

 

AdWords phishing schemes
Figure 2
AdWords phishing schemes
Figure 3

It is crucial that organizations ensure their brand is being monitored across all popular phishing channels, allowing them to rapidly take down attacks and fake sites, which is where these criminals gather the data. So what’s an enterprise to do? By leveraging services that identify and monitor malicious cousin domains on thousands of social media and user-content oriented websites and app stores, brands can catch any phishing activity and shut it down before any damage can be done. At Easy Solutions, we help our customers reduce their average takedown time to 3.6 hours (compared to the industry average of more than 30 hours), stopping attackers in their tracks before customers are impacted.

With Detect Monitoring Service (DMS) by Easy Solutions, enterprises receive brand protection through fraud threat intelligence–anti-phishing, pharming and malware protection all in one service. No single line of defense will work against electronic fraud, be it AdWords attacks or card-not-present fraud and everything in between. But with Total Fraud Protection, Easy Solutions’ portfolio of multi-layered fraud prevention solutions, financial institutions can rest assured knowing that any phishing attacks either perpetrated against them or leveraging their brand will be over before they’ve begun.

Leave a Reply

Your email address will not be published. Required fields are marked *