This article is co-written by Steven Ustel and Jay Sumanadasa. 

Whilst many of us are used to receiving scam calls, emails or SMS, we’re less savvy when it comes to identifying malicious advertising. However, online ads have become a popular weapon in the arsenal of cyber criminals looking to lure users to cloned websites impersonating well-known brands. Malvertising injects malware on unsuspecting users seeking apps on search engines, allowing cyber criminals opportunity to install remote access tools to target bank accounts and cryptocurrency wallets.

What does malvertising look like?

Disguised ads are designed to replicate official brand ads and redirect users to websites featuring the targeted brand in the domain name. Google Ads appear at the top of the search engine results page, often above a brands official website. This increases the likelihood potential users clicking the rogue ad over the official brand website. The brand terms within the domain name provide a false sense of security to the user, who unwittingly grants access for criminals to access financial and personal data.

The U.S. Federal Bureau of Investigation (FBI) warns “cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information”. The UK National Crime Security Centre (NCSC) has also launched a dedicated takedown service together with an initiative to work with tech start-ups to develop ways to identify bad ads, block them and track the attackers.

How is it done?

The malicious websites rely on familiar abusive domain name practices of brandjacking, typosquatting, and combosquatting to perpetrate the deception. A recent example incorporating all three tactics was tlktok-apk[.]link, with the related website impersonating the download portal for the TikTok app.

What can brands do?

1. Create a policy to govern domain name portfolio management
2. Audit portfolio against the policy: make a list of domains to acquire and those to let expire
3. Online watch service including domain names and search engine ads
4. Utilise domain name complaint processes to suspend or recover infringing domain names
5. Stay informed on new gTLD releases to keep the policy up to date