Google usually keeps atight hold on what can and can’t appear as an ad above search results, but for a brief time, a fake Amazon advertisement that actually led to a page attempting toscam users managed to make its way through. As shown in the attached image, the advertisement sat atop the Google Search results for Amazon, and looked every bit legitimate. Google’s automated systems checked it out and gave it the green light, which meant that it most likely looked as though it actually led to Amazon’s website. In reality, however, users who clicked on the ad were greeted with a different screen depending on their OS, but they all had a common goal; to make a user call a number to get a supposed problem with their computer fixed. windows users were shown a Microsoft support scam, while Mac users are told that their machine has been accessed by a suspicious connection.
The ad resolves out to Amazon’s domain, making it look every bit as authentic as a real link to Amazon’s website. It’s only when a user actually clicks the ad that a script changes the URL to the scam website. This is most likely how the malicious ad managed to avoid detection at first, though it has been reported and is now no longer present. There is no way to tell just how many users may have been affected by the ad, or even called the listed phone numbers during the ad’s short life.
While Google did swoop in to shut the fake advertisement down as soon as they caught wind of it, this incident shows an obvious flaw in the way that Google’s ad system handles ads at the moment. The ad was submitted, paid for, vetted, and assigned automatically, with no human checking things out at any step. While it’s exactly this process that allows Google to use their ad platform on the sheer scale that they do, the approach also has its downsides, and things like this are one of those downsides. This fake advertisement likely is not the only one to take this approach, which makes it a great relief that Google’s security team springs into action as soon as they’re made aware of a threat.