Careful! Hackers now hiding malicious links in top Google search results

Cyberattackers are yet again proving their resourcefulness with this new attack method. When you search for your favourite website chances are you just open the first link that pops up, right? Well, emerging reports warn that cyberattackers are now taking advantage of the Google Ads program to make their malicious sites appear at the top of the search engine.

To make it worse, the attackers are targeting popular websites that people have no reason to distrust. Examples of websites that have been mimicked by hackers include Facebook, YouTube, Amazon, and Walmart.

When a user searches for one of the said websites, the result page contains adverts that seem to lead to the legitimate site but once you click on the link you get redirected to scam sites.

According to researchers at Malwarebytes, the scam sites, almost in all cases, redirect to a browser locker website where the user is lured through scam warnings to contact Microsoft support or fake virus alerts from Windows Defender.

On their own, these phishing methods are well known and many users have learnt to avoid them but in this case, it’s easy for users to fall for them because they assume it’s a technical issue with the legitimate site they were trying to access.

And, according to the researchers, the attackers are employing sophisticated redirect mechanisms that make it hard to pinpoint exactly where the advert will send potential victims through HTML analysis.

When a user clicks on the rogue ad, the page that opens up will either redirect to the legitimate site as a decoy or load a secondary script containing the malicious URL. This is then loaded within an inline frame, an HTML element that loads a page within another. As a result, the page is replaced with the scam element but the user will have no idea because they will not be redirected a second time.

Instead, the user will only see the interim of the .com ‘cloaking domain’. However, since it's part of the Google Ads program the scam site will have bold Ad letters before the link to identify the site as an ad. This leaves room for knowledgeable users to know that the site is not a direct link to the site they were trying to access.

Still, the fact that these malicious ads appear even before ads from top websites means that the attackers are not afraid to spend more money to make the scam successful.

To avoid detection by Google proprietary technology and malware detection tools, the threat actors have separated the flows of the cloak and browser locker and use a mixture of expensive and free domains.

According to researchers, the infrastructure of the malvertising also seems to have been hosted on both paid virtual private servers and free cloud providers.

Malwarebytes Labs reports that they have filed all the necessary documents to notify Google about the ads.