Updated Nov. 7 with the government cybersecurity agency’s new guidance on malware infecting legitimate online advertising campaigns.

With “tens of millions of dollars” stolen from “hundreds of thousands” of web users, a serious warning has just been issued to the billions of users of the most popular web browsers. Google has removed well-known websites from search results, but that won’t eradicate links elsewhere, on social media and messaging platforms. It is essential that all users know what to look for. Bottom line: you should not use these websites.

Human Safety Satori The researchers warn that the threat actors “directed traffic to fake web stores by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that places these fake listings near the top of search engine rankings for the items, making them an attractive offer to an unsuspecting consumer. “When a consumer clicks on the article link, they are redirected to another website, this one controlled by the threat actor.”

ForbesGoogle update error: Don’t change this new Play Store settingBy Zak Doffman

On the dangerous website itself, users would be directed to a legitimate payment processing platform to purchase the chosen product. That product would never arrive, of course, but they would surely take the money. While many consumers may be protected from the ultimate financial cost through credit card chargebacks, that is never guaranteed until a claim is investigated.

In the most recently discovered campaign, bad actors “infected more than 1,000 websites to create and promote fake product listings and created 121 fake web stores to deceive consumers… estimating losses of tens of millions of dollars over the past few years.” five years, with hundreds of thousands of dollars.” of victimized consumers.”

So what can you look for to prevent your money from disappearing into a black hole?

1. Product deals that seem too good to be true usually are; If a bargain is offered below market rates, don’t proceed unless you can verify the site.
2. Check consistency between website names and names that appear in pop-ups, payment processing windows, and the URL. This specific campaign infected legitimate websites and then redirected them to other locations.
3. Does the ordering process feel completely legitimate? Do you have address details auto-complete, for example, do you check the quality of the data you enter?
4. If it’s a website you haven’t used before, check the reviews carefully; remember that they may be fake and look for known reviews of the site.
5. Can you find the product on a well-known website, even if it is more expensive?

This campaign, dubbed “phish and ship” by the research team, included a number of sophisticated touches: metadata to rise to the top of search results, although Google has removed those known to be fraudulent. By infecting legitimate websites, in this case users would initially be lulled into a false sense of security, but the redirection to a fake web store is when alarm bells should start ringing.

You can find a list of all known fake websites heresome of which remain active despite known threats according to this latest report.

“This operation highlights the relationship between the digital advertising ecosystem and fraud,” says Satori. “Without the fake organic and sponsored product listings from threat actors, there would have been no traffic to the fake web stores and therefore no fraud. “A key takeaway from Phish ‘n’ Ships is that digital advertising can be dangerous and consumers should be careful when clicking to the next step in a digital journey.”

Users of the main browsers are victims of these types of attacks. The research team warns that “Phish ‘n’ Ships remains an active threat,” although Google’s removal has “partially disrupted” its threat. “Threat actors are unlikely to stop working without trying to find a new way to perpetuate their fraud.”

When it comes to unreliable search results leading to dangerous phishing attacks, there’s another nasty new twist that’s just come to light. Malwarebytes warns that “a new wave of phishing to obtain banking credentials is targeting consumers through Microsoft’s search engine. “A search query on Bing for ‘Keybank login’ currently returns malicious links on the first page and sometimes as the main search result.”

Microsoft’s share of search pales in comparison to Google’s, although as with its ongoing campaign to push Chrome users to Edge, it’s now putting its hands in its pockets to do the same with Bing. with a new drawing of 1 million dollars.

“Although Microsoft’s Bing only has about 4% of the search engine market share,” says Malwarebytes, “criminals are attracted to it as an alternative to Google. A particularly interesting detail is how a phishing website created just two weeks ago is already indexed and displayed before the official one.”

ForbesAndroid update warning: You must act now if you missed the October 29 deadlineBy Zak Doffman

This dangerous new campaign has managed to inflate the search signals of new and malicious sites, tricking users into clicking on the top search results for common keywords. “A malicious link is displayed as the first result and pretends to be the Keybank login page… Attackers are abusing Bing’s search algorithms.”

Users who click on the links are redirected to malicious websites created for the campaign; This uses the official branding of the lure to further fool users. The intent is simply to collect identities, login credentials, and passwords. Attackers have even found ways to collect MFA codes to facilitate logins.

As with the “Phish and Ships” attack, this socially engineered manipulation of search results, along with behind-the-scenes trickery to move traffic from legitimate sites to malicious sites, is clearly effective and nets attackers millions.

The concern for users will be the soon-expected rise in AI-based search, which is not only a threat to established search engines but also to users who do not have long-term defense mechanisms and ‘senses’. spider’ to see the attacks that are coming. Ironically, we also just saw a phishing attack that claims to come from OpenAI itselfwhich emphasizes that point of the brave new world. Buyers beware.

Another serious warning of website fraud has been issued following this report from Human’s Satori researchers. The UK government’s cybersecurity agency has just warned that “digital advertising is fundamental to the digital economy and depends on interactions between those who sell advertising space and those who buy it, often in real time. But this can be abused and generate malicious advertising, which may include malware. “This can lead to fraud and undermine trust in the digital advertising industry.”

In a new notice offering “guidance for brands to help advertising partners counter malvertising,” the NCSC warns legitimate businesses that digital advertising campaigns can expose their customers to fraud if the organizations running those campaigns They deliberately or inadvertently introduce fraudulent technologies into the mix.

“Organizations that help run their campaigns should take steps to prevent harm to users,” he says. “You also want to be sure that ads appearing on the same sites and pages as yours are reputable and trustworthy. You can support this broader effort by requiring effective malvertising detection and removal services on an intermediary’s advertising assets and on publishers’ landing pages. This is a continuous process, which must be applied before and throughout an advertising campaign.”

As with “Phish and Ships,” where legitimate commerce websites are infected to give some legitimacy to malicious campaigns, the risk in digital ads is that trusted brands are used to mask threats and socially engineer an attack chain. that draws users to the initial steps. which ultimately lead to fraud or credential theft.

The NCSC says that “advertisers, publishers and ad networks should collaborate to share threat intelligence. By gathering information about emerging threats, we can respond more quickly to new attacks and proactively prevent an attack that is detected on one platform from also appearing on others.”

ForbesSamsung upgrade decision: bad news for millions of Galaxy S24 and S23 ownersBy Zak Doffman

It’s the real-time nature of the web, and as with Bing’s manipulated search results, attacks can be difficult to catch because they appear and disappear in an instant. What is manipulated is the core functioning of the system itself.

For any organization that designs campaigns and buys ads, the cybersecurity agency urges that advertising intermediaries can demonstrate the following five steps to make it more difficult for threat actors:

1. How they handle malvertising detection and removal services
2. the provider they use, if any, to detect and remove malvertising, and whether this includes “cloaking”, where the harmful nature or destination of an ad is hidden.
3. the extent of your assets where scanning, detection and removal are performed
4. how they monitor any changes during the lifecycle of an advertising campaign
5. how an attack is escalated and investigated, if it occurs

“Organizations that help run their campaigns should take steps to prevent harm to users,” the agency says. “You also want to be sure that ads appearing on the same sites and pages as yours are reputable and trustworthy.”