Uncloaking Fake Search Ads

Search engine ads are not always as they seem. Cybercriminals can take advantage of the ability to precisely target potential victims, tricking them into clicking malicious links prominently displayed before the intended legitimate destination.

This blog post takes a detailed look at the increasingly sophisticated usage of the technique known as cloaking, which is used to surreptitiously direct users to malicious URLs from search adverts displaying legitimate URLs of real companies.

How does cloaking work?

For legitimate adverts displayed in search engine results pages, when the link is clicked, it directs the user to the displayed website. These adverts are ostensibly verified by ad publishers such as Google or Bing. Bing’s platform is also used by Yahoo and AOL.

The most naive use of fake search adverts displays the fake destination to the victim. If clicked, this would direct the user to the website as displayed, albeit a malicious copy of the intended destination. This makes it easy for ad publishers to automatically discover and block adverts pointing to malicious URLs using threat intelligence feeds.

Fake ads created using cloaking are different in several ways:

• When clicked, the user is sometimes taken to a different URL to the URL shown in the search results.
• The ad publisher will not necessarily know that the URL to which the fake ad directs the user is malicious, as the cloaker ensures that the publisher is directed to the displayed URL when checking the ad. The displayed URL does not contain malicious content.
• Clicking on the same advert can direct different users to different final URLs.

It is easier for users to fall victim to this type of fake ad:

• The fake ad will display a legitimate URL on the search engine results, alongside the legitimate page title, description and even Google reviews.
• Since it displays a legitimate URL in the search result, it is impossible to tell that it could be potentially malicious until after a user has clicked on the link. Users might not check the address bar for the URL to which they have been redirected.

This technique is currently being used to target a variety of brands including Tesco, Airbnb, McDonald’s, and Argos, as shown below.

Search result for ‘Argos’ on Google, apparently displaying genuine details.

The advert displays:

• the legitimate Argos URL (https://www.argos.co.uk)
• convincing looking details (We Have All You Need to Work, etc)
• a fake 4.5 star rating

Users who click on the link are directed either to the real Argos site (argos.co.uk), or the fake shop site shown below (agross[.]store).

Fake shop site (agross[.]store).

Cloaks and daggers

It is worth noting that cloaking itself is not a new technique, as this Facebook article from 2017 demonstrates. Cloaking is a known issue for ad publishers: Google explicitly bans ‘Using click trackers to redirect users to malicious sites’ in its ads policy.

One way cloaking can be implemented is by setting up a cross-domain redirect as described by Google’s own support page. This allows the criminal to set a ‘click tracker’, that acts as a ‘cloaker’, which can then be used to redirect users to malicious sites. A criminal starts by setting up an ad for the legitimate website (for example, argos.co.uk) so that the legitimate URL is displayed in the search engine results. They then set up a click tracking service that uses cross-domain redirects to redirect to the cloaker.

When the cloaker detects a real user, rather than a bot used by an ad publisher to verify the advert, it may redirect the user to a malicious site. This malicious redirect is not guaranteed to happen all the time, to reduce the chance of it being detected by any further manual checks performed by ad publishers. Cloakers may distinguish bots from humans based on factors like the user’s IP address, the User-Agent header, and browser language settings.

The same cloaker site can be used for multiple different ad campaigns, as determined by an ad campaign ID passed in the URL parameter. The Argos example redirects to either argos.co.uk or a fake shop at agross[.]store. The same cloaker domain also targets Tesco, redirecting to either tesco.com or an affiliate marketing scam at supsale[.]club/tsco-uk/.

Searching for Tesco on Google is returning a malicious advert for a Tesco affiliate scam, hosted on hxxps://supsale[.]club/tsco-uk/

We have also detected fake ads targeting McDonalds and Marks & Spencer that use the same template for affiliate marketing scams. The McDonalds ad redirects either to its legitimate site (https://www.mcdonalds.com/us/en-us.html) or the affiliate marketing scam shown below.

Affiliate marketing scam site Savingspot[.]club/markandsper-uk

Affiliate marketing scam site mekdonolds[.]shop