A new cyberattack is targeting Facebook users by tricking them with what appears to be a ‘sponsored’ Google ad for the social media platform.
Cyber expert Justin Poli discovered a phishing ad when he typed “Facebook” into the Google search bar to log into his account.
The best result redirected him to a fraudulent site that allowed malicious parties to gain access to his computer. A pop-up showed that his email and banking passwords, Facebook account and computer files had been leaked.
Although cybercriminals have designed the malicious ad to go unnoticed, there are ways users can protect themselves from scams.
Cyber expert Justin Poli (pictured) reported that he clicked on a legitimate Facebook login link but was redirected to a fraudulent website
Poli received a message when he was redirected to the phishing site (pictured) telling him that his email and banking passwords, Facebook login, and photos and files had all been leaked
Poli shared the attack in a TikTok video, detailing what he discovered when he tried to log into Facebook, only to be warned that his system had been infected with “spyware issues.”
‘My first reaction was: how does Google ever let this happen? They should not allow advertisements linking to phishing sites to be placed,” Poli said.
The problem can’t be solved with a simple fix, Poli said, because the phishing scam, also known as malvertising, tricks scammers into thinking the link is real.
This means anyone can pay to have their ad appear as a ‘sponsored’ link as a top result in the search bar and you can edit the URL to redirect the site users click on.
Bad actors can tailor links to trick Google into thinking they are legitimate, using a tracking template that allows the person to modify the URL on the back end to redirect users to another site.
Young people are reportedly more likely to be scammed than those twice their age because they are more likely to be exposed to fraudulent advertisements.
Bad actors use a tracking template that allows them to customize the final URL, even if it isn’t the same link that appears in the results.
If the link appears to be related to the ad, Google’s tracker will not flag this as an issue because the bad actors are using a tracking template that allows them to adjust the final URL even if it is not the same link displayed on the ad . the results.
Although the phishing ads usually don’t last long because the scams are expensive and people are usually quick to report them, there is always another phishing ad that can replace it.
“It’s like playing a game with all these ads,” Poli said, adding that there’s no way for Google to monitor them but suggesting the company might use AI to check the links more often.
Poli recommended that people always have an ad blocker activated on their phone or computer and never trust a sponsored link.
Users can also protect themselves by keeping their software and extensions up to date, including browsers, and by preventing Flash and Java from running automatically while browsing the web.
“It’s a bit stupid that we have to live with that,” Poli said, “but that’s how it is.”
A 2023 questionnaire from Deloitte found that Gen Zers – people aged 14 to 26 – are three times as likely to be duped into online scams than the boomer generation – people aged 58 to 76.
Young people are reportedly more likely to be scammed than those twice their age because they are more likely to be exposed to fraudulent advertisements.
Tanneasha Gordon, a director at Deloitte who leads the firm’s data and digital trust business, says Vox that young people are at greater risk of becoming involved in scams, partly because they are more exposed to them.
“There are so many fraudulent websites and e-commerce platforms that are literally targeting them, taking them off the social media platform they’re on through a fraudulent ad,” she said.
DailyMail.com has contacted Google for comment.