Much of the focus in the cybersecurity arena over the past few years has been on email as a point of entry, and with good reason. Both ransomware attacks and the phishing attempts that make many of them possible are on the rise, threatening organizations of all sizes. Training team members to recognize these attempts is vital.
But there are other avenues for hackers, and one involves nothing more than a simple Google search. Welcome to malvertising. While not new, malvertising is on the rise, and the bad guys are getting better at it. Let’s take a look.
Malvertising can be as simple as phony – and malicious – ads that appear as sponsored content in a Google search, or can be a more complex scheme targeting employees of a given organization. In one example, Lowe’s team members were targeted using ads that appeared to direct them to an employee portal but actually linked to a phishing page complete with the company’s logo. Slack, the business communications tool, was another high-profile target.
Malicious ads can also appear on trusted websites as hackers find their way in through the advertising brokers that place these ads.
While Google and its search competitors make every effort to make sure advertisers are legitimate, there are simply too many to keep some bad apples from sneaking through. Last fall saw a jump of more than 40% in malvertising, according to one online security firm, and the fake ads and phishing pages they link to are getting more and more realistic.
What to do?
First, make your employees aware that malvertising is an issue, and what they should look for. Before clicking on any sponsored link, hover over the link and look carefully at the destination URL (and we mean carefully: the URL that fooled many Lowe’s employees was myloveslife.net).
Avoid clicking phone numbers in ads. It’s very convenient, but there’s no way to tell whether you’re connecting with the actual advertiser or with a cyberthief.
Finally, keep your browsers up to date. This can help prevent so-called drive-by downloads, where a page can download malicious code to your device even if you don’t click on any links.
There’s no perfect solution to avoid malvertising completely, but practicing good digital hygiene and looking before you click will help reduce your chances of becoming a victim.
Questions about cybersecurity? Contact Hill Tech Solutions.