A new cyberattack targets Facebook users by tricking them with what appears to be a “sponsored” ad from Google for the social media platform.
Cyber expert Justin Poli discovered a phishing ad when he typed “Facebook” into the Google search bar to log into his account.
The main result redirected him to a fraudulent site that allowed criminals to access his computer: a pop-up window showed that his email and banking passwords, Facebook account, and computer files had been breached.
While cybercriminals designed the malicious ad to go undetected, there are ways users can protect themselves from being scammed.
Cyber expert Justin Poli (pictured) reported that he clicked on what appeared to be a legitimate Facebook login link, but was redirected to a fraudulent website.
Poli received a notice when he was redirected to the phishing site (pictured) informing him that his email and banking passwords, his Facebook login, and his photos and files had been breached.
Poli shared the attack in a TikTok video, detailing what he had discovered when trying to log into Facebook, only to be alerted that his system was infected with “spyware issues.”
‘My first reaction was: how can Google allow this to happen? They should not allow ads to be published that link to phishing sites,” Poli said.
The problem can’t be solved with a simple solution, Poli said, because the phishing scam, also called malvertising, allows scammers to trick Google into thinking the link is real.
This means that anyone can pay to have your ad be a “sponsored” link that appears as the top result in the search bar and you can edit the URL to redirect to the site that users click on.
Bad actors can customize links to trick Google into thinking they are legitimate by using a tracking template that allows the person to adjust the URL on the back-end to redirect users to another site.
Young people are reportedly scammed more often than those twice their age because they are more exposed to fraudulent ads.
Bad actors use a tracking template that allows them to customize the final URL, even if it is not the same link that appears in the results.
If the link appears to be associated with the ad, Google’s crawler won’t flag it as a problem because bad actors use a tracking template that allows them to customize the final URL, even if it’s not the same link that appears in the ad. the results.
Although phishing ads usually don’t last long, because scams are expensive and people report them quickly, there is always another malicious link ready to replace it.
“It’s like playing whack-a-mole with all these ads,” Poli said, adding that Google has no way to monitor them but suggested the tech giant use artificial intelligence to check links more frequently.
Poli also recommended that people have an ad blocker turned on on their phone or computer and never trust a sponsored link to protect themselves from these types of scams.
Users can also protect themselves by keeping their software and extensions, including browsers, up-to-date and by avoiding using or allowing Flash and Java to run automatically while browsing the web.
“It sucks that we have to live with that,” Poli said, “but that’s the way it is.”
A 2023 survey from Deloitte found that members of Generation Z (people ages 14 to 26) are three times more likely to be duped in online scams than the boomer generation (people ages 58 to 76).
Young people are reportedly scammed more often than those twice their age because they are more exposed to fraudulent ads.
Tanneasha Gordon, a Deloitte principal who leads the firm’s data and digital trust business, said voice that young people are more likely to be caught up in a scam, in part because they are more exposed to them.
“There are so many scam websites and e-commerce platforms that literally cater to them, that they will kick them off the social media platform they’re on through a scam ad,” he said.
DailyMail.com has contacted Google for comment.