A new cyberattack is targeting Facebook users by tricking them with what appears to be a ‘sponsored’ Google ad for the social media platform.
Cyber expert Justin Poli discovered a phishing ad when he typed ‘Facebook’ into the Google search bar to log into his account.
The top result redirected him to a fraudulent site that allowed bad actors to access his computer – a pop up showed his email and banking passwords, Facebook account, and computer files were breached.
While cybercriminals designed the malicious ad to go undetected, there are ways users can protect themselves from being scammed.
Cyber expert Justin Poli (pictured) reported that he clicked on what appeared to be a legitimate Facebook login link, but was redirected to a fraudulent website
Poli received a notice when he was redirected to the phishing site (pictured) telling him that his email and bank passwords, Facebook login, and photos and files had all been breached
Poli shared the attack in a TikTok video, detailing what he had uncovered while attempting to log into Facebook, only to be alerted that his system was infected with ‘spyware issues.’
‘My first reaction was, how does Google ever allow this to happen? They should not allow ads to be posted that link to phishing sites,’ Poli said.
The problem can’t be solved with a simple fix, Poli said, because the phishing scam, also called malvertising, lets scammers fool Google into thinking the link is real.
This means that anyone can pay for their ad to be a ‘sponsored’ link to appear as a top result on the search bar and you can edit the URL to redirect the site users click into.
Bad actors can tailor links to trick Google into thinking it’s legitimate using a tracking template that lets the person adjust the URL on the back end to redirect users to another site.
Young people are reportedly scammed more often than those twice their age because they are more exposed to fraudulent ads.
Bad actors use a tracking template which allows them to customize the final URL – even if it isn’t the same link that appears on the results.
If the link appears to be associated with the ad, Google’s tracker won’t flag it as a problem because the bad actors use a tracking template that allows them to customize the final URL – even if it isn’t the same link that appears on the results.
Although phishing ads don’t typically last long, because the scams are expensive and people report them quickly, there is always another malicious link ready to replace it.
‘It’s like playing whack-a-mole with all these ads,’ Poli said, adding that there isn’t a way for Google to monitor them but suggested that the tech giant use AI to check the links more frequently.
Poli also recommended that people should have an ad blocker activated on their phone or computer and never trust a sponsored link in order to protect themselves from such scams.
Keeping software and extensions up to date, including browsers, and avoid using or allowing Flash and Java to run automatically while surfing the web are other tips to stop hackers at bay.
‘Kind of s*cks that we have to live with that,’ Poli said, ‘but that’s the way it is.’
A 2023 survey by Deloitte found that Gen Zers – people aged 14 to 26 years old – are three times more likely to be tricked into online scams than the boomer generation – people who are 58 to 76 years old.
Young people are reportedly scammed more often than those twice their age because they are more exposed to fraudulent ads.
Tanneasha Gordon, a principal at Deloitte who leads the company’s data and digital trust business, told Vox that young people are more likely to become caught in a scam, in part, because they are more exposed to them.
‘There are so many fraudulent websites and e-commerce platforms that just literally tailor to them, that will take them from the social media platform that they’re on via a fraudulent ad,’ she said.
DailyMail.com has reached out to Google for comment.
