Back to Back Issues Page
Watch For Scams Newsletter. Malicious Ads
July 11, 2023

Malicious Ads

Watch For Scams is dedicated to helping you avoid becoming a victim of fraud.

If you like this ezine, do a friend a big favor and forward this to them. If a friend forwarded this to you, and if you like what you read, please subscribe by visiting the link below:

Subscribe Here

Malicious Ads

We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails.

Scammers continue to abuse and impersonate brands, posing as verified advertisers whose only purpose is to smuggle rogue ads via popular search engines.

A recent example we saw was of a phishing attack that was targeting both mobile and desktop users looking up to track their packages via the United States Postal Service website. A Google search returned an ad that looked completely trustworthy.

Yet, it redirects victims to a malicious site that first collects their address, credit card details and, requires them to log into their bank account for verification.

This elaborate phishing scheme is a reminder that malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands.

A simple Google search for "usp tracking" showed an ad snippet containing the official website and logo of the United States Postal Service and yet, the "advertiser" whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it. This fake advertiser had 2 different ad campaigns, one that appears to target Mobile and the other Desktop users.

Address verification and update is just a trick to get banking credentials

You may wonder how scammers are able to use the official web address (URL) in the ad and redirect victims to their own different website. The URLs shown in the ad are pure visual artifacts that have nothing to do with what you actually click on. When you click on the ad, the first URL returned is Google's own which contains various metrics related to the ad, followed by the advertiser's own URL.

Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous.

Victims that click on the ad land on a website that asks them to enter their tracking number(s), just as they would expect it. However, upon submitting that information they receive an error stating "Your package could not be delivered due to incomplete information in delivery address."

It is not unusual to receive this kind of notification either. Users are then asked to enter their full address again but also need to pay a small fee of 35 cents by submitting their credit card information. This is the first clue that there is something amiss here.

Victims are entering their credit card number into a phishing website. The small fee is completely irrelevant as there is much more damage that can be done by reselling this stolen data on criminal markets.

The final step consists of asking users to enter their credentials for their financial institution. The phishing page is dynamic and will generate a template based on the card number previously inputted such as a VISA card and the associated bank is JP Morgan.

Brand impersonation is a huge problem and requires users to be cautious clicking on ads.

If you believe you have been a victim of this type of scam you should promptly report it to the IC3's website at The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Remember - always watch for scams!


Back to Back Issues Page