Rogue ads phishing for cryptocurrency: Are you secure?

Rogue ads phishing for cryptocurrency: Are you secure?

Bad ads are at it again. Rogue Google ads caused no end of misery for cryptocurrency enthusiasts, costing them roughly $4.31 million between the 12th and the 21st of April. This is an astonishing slice of cryptocurrency cash to lose for the sake of clicking on something in a search engine.

The bogus links were at the top of results for Terra blockchain projects. Searches for projects like Astroport or Anchor resulted in the below search results:

The design of the phish page is quite similar to many that we’ve seen. They’re quite basic, and include little beyond a set of “connect your wallet” buttons. However, as you can see in the below tweet, they’re after people’s seed phrase:

We’ve talked about seed/recovery phishing several times. Seed phrases are your keys to the kingdom, and giving them to a phisher could have serious consequences. It’s no wonder these phishers made off with so much money.

The problem with bad ads

Rogue adverts have been around pretty much for as long as paid adverts have existed. They’ve been the stomping ground of exploit kits, ransomware, fake tech support scams, and much more for years.

One of the main ways to hurt yourself in a search engine used to be SEO poisoning. That didn’t involve ads, but rather involved the search results themselves being bad. If a site got compromised and the content altered, innocent looking results could end up whisking you away to spam or malware. Alongside SEO poisoning, which search engines really tried to clamp down on, bogus ads started making major inroads.

Big numbers, big rewards

Ad fraud costs billions each year. Any network could potentially allow a bad actor onboard, and that’s before you consider that there are rogue ad networks who simply don’t care what’s being pushed to end-users. Slow, cumbersome static ads were replaced by real time bidding, and techniques to push bad content became ever more inventive.

On top of that, you have the usual tricks like fingerprinting and browser search string agents to ensure your bad content reaches specific people. For example, only allowing certain mobile users to land on your mobile-centric scam page. Or how about stopping users at a gateway to see if they run exploitable types of software before letting them progress to the exploit page?

The SEO poisoning tactics all look a bit antiquated next to the “paid-for ad might lose you a fortune” merry-go-round.

The big problem with paid ads in search engines is one of assumed legitimacy. The fact that they usually appear at the top of the page originally led to complaints that they were being mixed up with “proper” results. This brought about many changes to make it clearer that paid ads were just that.

Sadly, people still struggle with figuring out paid ads vs organic. Close to 60% in one survey didn’t know the difference. This is despite changes from search engine providers for both desktop and mobile platforms.

Does the word “Ad” next to the result in Google really leap out enough to be noticeable? Or when “Ad” appears in Yahoo! or the additional “Ads related to…” under the main ads? How about Bing’s very tiny “Ad” next to the results?

I vaguely recall a search engine placing paid results in a prominent box a few years back, but I suppose I could just be mixing it up with a screenshot of someone highlightinga rogue advert instead.

Avoiding bad ads

There’s multiple ways to avoid bad ads, but some of them come at a cost to either yourself or the sites serving the ads. It’s one of those very personal choices for which there’s no single fit. I’m not going to suggest you do any of these; I’m merely going to give you examples of what people do and leave the decision in your hands.

  1. Some folks have simply had enough of adverts. They’ll install ad-blockers, hit the “disallow all” button, and that’s that. However, one drawback is that sites you like may not work. You’ve definitely seen a “please unblock our ads to continue” message at this point. Some sites take a hard line on this, and it’s a case of unblock or go elsewhere. Others will allow you to choose whether to view the site with the ads still blocked, or add them to your “safe site” list. Sometimes this goodwill gesture is enough to have the visitor unblock the ads. If it doesn’t and someone becomes a repeat visitor anyway (with ads still blocked), then the site loses ad revenue.
  2. Others may go down the script blocker route. This may allow ads, but will potentially contribute to preventing forms of redirect and/or malicious script loading. Script blocking tools are a lot better than they used to be, with more customisation available than ever before. In the bad old days, it was mostly a case of “enable this and break hundreds of websites”. The trade-off here is that you may end up enabling something that renders the site usable, but also allows for bad things to happen.
  3. Security tools. This is one of the more hands-on ways to shut bad things down. Browser extensions, security tools with real-time protection, regular security scans, and keeping your system (and programs) up to date will all help keep exploits, phishing pages, and malware far away, even with all adverts enabled. Nothing is guaranteed, of course, and that’s why several layers of defence tailored to your specific requirements will do significant heavy lifting on your behalf.

Rogue ad attacks are sadly a fact of internet life, and targeting cryptocurrency enthusiasts means potentially massive payouts in comparison to some other forms of phishing. With no way to get your stolen coins back in most cases, it’s not something you can afford to ignore. Start shoring up those defences now, and have a long think about the level of advert exposure you’re comfortable with.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.