Web Search Malvertising

By Will Jay On In Tech Tips

When you’re surfing the world wide web these days, it’s easy to accidentally click an ad given how 80% of websites have multiple banners, lingering splash screens, hidden full page overlays that redirect you when you click them, etc. I think most people know at this point that these range from neutral to bad on the things-to-be-clicking-on scale, but it might be less known that even big players in the tech space will sometimes send you places you don’t want to go.

A recent example of this is related to the release of Arc browser, a new web browser from a startup that touts a unique style and ability to manipulate how you view webpages as its selling points (not an endorsement; I haven’t used it). Alongside this release, a bad actor saw an opportunity to list advertisements on Google that displayed the legitimate link to Arc’s domain, https://arc.net, while clicking on the sponsored link redirected to a typo-squatted domain (e.g., if someone owns birrddsoncable.com, they can use that site to host malicious content and trick people looking for birdsonacable.com) that looked identical to the legitimate arc.net download page.

While these malicious ads tend to get discovered over time, it’s a cat-and-mouse game where the mice are always able to re-populate. As someone caught in the middle, the best way to protect yourself is knowing what to look for. Here are my general rules of thumb for staying safe out there.

  1. Don’t click the ads. When doing web searches, regardless of the search engine, avoid the links at the top of the search results. Particularly if they say ‘Sponsored’ or give an indication that they’re a paid-for advertisement. (Clicking banner ads on a trusted webpage is less concerning, but I’d still avoid it.)
  2. If you click the ad, verify where it sends you. If you clicked a splash ad that popped up while you were reading an article about goldfinch mating patterns and got a splash ad in the middle of the page for 50% off all ottomans at Wayfair, you’d better make sure it sent you directly to wayfair.com and not wayfaair.com.
  3. If you’re looking for a well-known company’s website and are unsure what the URL for their website is, the company’s Wikipedia entry typically has a link to their primary webpage URL.
  4. If you think you clicked a malicious ad that sent you to a strange webpage, it would be a good idea to clear your browser’s cache and cookies. Also, check your browser extensions to see if there are any new/unfamiliar entries.
  5. As always, if you’re ever completely unsure, feel free to ask the Birds!