Dynamic Search Ads (DSAs) are a type of advertising campaign that automatically generates ad headlines and landing pages based on the content of a website. DSAs allow advertisers to reach a targeted audience and have revolutionized how businesses reach potential customers.
DSAs automatically generate ads based on a website content, being a good and effective way for advertisers to achieve a better reach. Many legitimate businesses are using that kind of campaigns to promote their products or services.
However, this automation and efficiency have not gone unnoticed by malicious actors, who have discovered ways to exploit DSAs for malicious purposes.
How Dynamic Search Ads work
When a Dynamic Search Ads campaign is activated, a crawler visits the advertiser’s website, identifying relevant content and starts generating ads based on the user's search queries, thus eliminating the extra work required to create extensive keyword lists and ad copy manually. Instead, the search engine dynamically matches search queries with landing pages on the advertiser’s website, populating the ad with headlines and text extracted from the advertiser's website content.
However, the simplicity and the efficiency of this workflow made those campaigns attractive for cybercriminals also.
How attackers exploit Dynamic Search Ads
Malicious actors have developed sophisticated methods to exploit DSAs by creating campaigns that look totally legitimate but actually serve their own purposes, and this is how they stage their attacks.
Deploying a malicious website
In order for a DSA campaign to work, it needs a website, so the attackers are creating a website that acts and looks trustworthy, usually by cloning a legitimate website, and they make use of SEO poisoning tactics:
- They use a domain name that looks similar to the original (typosquatting)
- They make use of popular keywords, meta tags, and structured data to ensure these pages have a good rank in search engines, and feed different data for crawlers than what’s displayed to the end user (cloaking)
- Boosting their website score by using bots or humans to search for keywords and generate clicks for the deceptive website instead of the original one or even creating a network of deceptive websites backlinked together.
Also, usually these websites are using dynamic generated pages in order to personalize the user’s experience, by feeding content based on the visitor’s location, device or browsing behavior, making it more tailored and convincing.
Crafting the malicious Dynamic Search Ads campaign
Once the malicious website is up and running, attackers start the DSA campaign, by creating advertiser accounts, usually using stolen credentials or fake identities to avoid detection. A rising and concerning trend is usage of legitimate advertiser accounts that have already been used in legitimate campaigns, making it stealthier and providing a more legitimate look in order to evade detection by automated security systems.
The ad campaign is being configured in order to target based on their interest (specific demographics or geographic location, particular time of day or even high-value individuals within corporations, tailoring ads to their victim’s interests)
How to recognize malicious Dynamic Search Ads
Identifying malicious DSAs can be challenging because they are designed to blend seamlessly with legitimate ads. However, there are a few red flags to watch for:
- Suspicious URLs
Hover over ad links before clicking. Be on a lookout for misspelled words, unusual TLDs, or URLs that are too complex. - Urgency and Pressure
Ads that create a sense of urgency (e.g., “Act Now!” or “Limited Time Offer!”) should be approached with caution, especially when combined with requests for personal information. Attackers exploit psychological triggers to rush users into decisions without proper inspection. - Unusual Prompts
Be cautious of ads that lead to pages demanding sensitive information upfront, prompting unexpected downloads, or requesting login credentials. Some malicious sites mimic legitimate login portals, capturing credentials in real-time. - Inconsistent Branding
Poor grammar, low-quality images, and mismatched logos can indicate a fraudulent site. However, many modern scams are highly polished, making it essential to verify authenticity beyond surface appearances. - Too-Good-to-Be-True Offers
Unrealistic deals or offers that seem too generous should raise immediate suspicion. Some campaigns have posed as official software vendors offering steep discounts on popular applications only to deliver installers packed with malware.
Risks of malicious DSAs
The consequences of falling for malicious DSAs can lead to:
- Data Theft: Personal information, including login credentials, financial details, and sensitive business data could be stolen.
- Malware Infections: Clicking on a malicious ad can result in the automatic download of malware, including ransomware, spyware, and trojans. Attackers often use sophisticated malware loaders that adapt based on the target's system defenses.
- Phishing Attacks: Victims may unknowingly provide sensitive information to attackers, leading to identity theft or business data breaches.
- Financial Loss: Businesses may suffer direct financial losses due to fraud, as well as indirect costs from data breaches, legal repercussions, and reputational damage. Recovery costs can include legal fees, customer compensation, and incident response expenses.
How to protect against malicious Dynamic Search Ads
Both individuals and organizations can protect themselves against malicious DSAs by using a few simple techniques:
For individual users
- Stay Informed
Educate yourself about common online threats and how to recognize suspicious ads and websites. Awareness is the first line of defense. - Verify Before Clicking
Always check the legitimacy of an ad by checking the URL and researching the advertised company if unsure. When in doubt, navigate directly to the official website instead of clicking on ads. - Enable Multi-Factor Authentication (MFA)
Protect online accounts with MFA to add an extra layer of security. Even if credentials are compromised, MFA can prevent unauthorized access. Use physical token or authentication app instead of SMS-based MFA, as this method is vulnerable to SIM-swapping attacks. - Report Suspicious Ads
If you encounter a suspicious ad, report it in order to help prevent others from falling victim. Prompt reporting can aid in quicker takedown of malicious content.
For Organizations
- Employee Training
Conduct regular cybersecurity awareness training to educate employees on recognizing phishing attempts and malicious ads. Simulated phishing exercises can reinforce good security habits. - Advanced Threat Protection
Deploy advanced security solutions that offer real-time monitoring and threat detection. Integrate threat intelligence feeds to stay updated on emerging threats. - Ad Monitoring
If your business uses DSAs, regularly audit your own ads to ensure they haven’t been compromised and monitor for impersonation attempts. Set up alerts for unusual account activities.
How Ad Platforms can mitigate risks of malicious DSAs
While users and businesses play a critical role in defense, ad platforms also have a responsibility to prevent and fight malicious DSAs, by using several strategies:
- Automated detection systems
Advanced algorithms analyze ads for any signs of malicious activity. Machine learning models are continually refined based on new threat data. - Manual reviews
Teams of reviewers investigate flagged ads to confirm potential threats. Human review is crucial for catching nuanced attacks that automated systems might miss. - Advertiser verification
Stricter verification processes for advertisers help reduce the risk of fraudulent accounts. - Transparency tools
Features like “Why This Ad?” allow users to see why an ad was shown to them, helping identify suspicious targeting and provide greater transparency, thus helping users to make informed decisions. - Threat Intelligence sharing
Collaborating with cybersecurity companies and law enforcement to track and dismantle malicious campaigns.
Conclusions
Although Dynamic Search Ads are a powerful tool for legitimate businesses, they’re also an attractive tool for cybercriminals to conduct their illicit activities.
In order to protect and defend against the risks posed by malicious DSAs, one should understand how attackers stage their campaigns. By keeping yourself informed and always vigilant while browsing the internet you can reduce the risk of falling victim to malvertising campaigns.
Stay vigilant and safe and always think before you click!
