Google sponsored ads lead to rogue imitation sites

There’s a big push in rogue advert land at the moment, with multiple forms of bogus websites being used as bait to rob people of their logins and funds.

This story first came to light a few days ago, with news of a well known cryptocurrency fan “NFT God” being caught out by a bogus video recording tool.

NFT God lost pretty much all of his digitally accrued wealth after the malicious executable grabbed his logins and switched out his digital wallet details. He arrived at this fake video editing tool thanks to a rogue sponsored ad sitting at the top of his Google search results.

Once the file was installed, it set about sending all pertinent login details back to base and the damage was done. The fallout continued as various logins were compromised and phishing attempts were sent to his 16,000 or so Substack followers.

Rogue ads: following a trend

Following up on this prominent tale of hijacking in cryptocurrency circles, Bleeping Computer did some investigation of its own and found a lot more bad ads vying for attention in Google. It’s not just imitation OBS files you have to watch out for. USB booting tools, PC maintenance tools, multiple unnamed programs, and a malicious Notepad++ found by security researcher Will Dormann are just a few of the highlights on display. In fact, several other researchers found their own bad ad equivalents too with one able to put together a list of no fewer than 70 rogue advert domains.

The sites being used for these scams are typically typo squatting. This is where URLs which are similar, but not identical, to the real thing are used as the launchpad for the malicious downloads. These sites tend to rip pieces off the real site, if not the entire domain, to look as convincing as possible. A related tactic is to make a lot of the clickable URLs on the fake portal point to the real thing, with the sole exception being the bogus download. Whatever it takes to appear as convincing as possible.

When the fake sites are out, but not down

Google told Bleeping Computer that the sites in question have since been removed from its ad program. This doesn’t necessarily mean that the sites have been taken offline, and they may well still be out there waiting to strike somewhere else. They could easily be sitting in regular results in another search engine, or be placed into a non-Google related search engine ad program.

This also doesn’t mean all rogue sites have been removed from the search results listings, and caution should always be exercised where ads are concerned.

How do you avoid bad ads?

It wasn’t so long ago that the FBI warned of rogue adverts popping up in search engine results. That warning also included a reference to blocking ads, which some folks may not have expected to see in an FBI release.

The advice for steering clear of rogue adverts likely includes some best practices you’re already aware of and make use of. In an ideal world we wouldn’t have to worry about such things, but despite whatever quality control and ad inventory checking is in place at major search engines this keeps happening anyway. With this in mind:

  • You probably have the URL you need. It’s somewhat unusual for many people to have zero idea of the genuine URL for a major brand, service, product, and so on. Your first interaction with said entity will almost certainly have their genuine URL printed on a banner, box, instruction manual, or anything else you care to mention. Navigate directly to the site in this instance, because you don’t need to go digging around in search engines.
  • Careful searching. If you do need to go looking, cross reference the URLs you see in search engines with a search of your own. If it’s legitimate, you should see a large number of people and businesses referencing it.
  • Report bad ads. If a sponsored ad is up to no good, there should be a way to report from the search engine in which you found it. You’re doing your part to help the next person who comes along stay safe!
  • The thorny blocking issue. If you choose to block ads, be aware that the way you block may break functionality of the site you’re on. Some sites will insist you turn off your ad blocker. Others may simply not work anymore if you use script blocking or turn off JavaScript. It’s not so much a case of “job done”, as it is “job just getting started”.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.