Search is dangerous!? Countermeasures against abuse of online advertising

When you want to know something. Searching the Internet first.

When you enter a keyword, a list will be displayed, but ...
The pages displayed at the top of the list may contain malicious fraudulent sites.

Now, more and more people are being deceived by search.

(Digitally undeceived interview team Moe Sasaki)

I was relieved because it was "high in the search" ...

A man in his 30s lives in Kochi Prefecture. In December last year, I "discovered" a product that I had always wanted on an Internet search site.

This is the PlayStation 12 home video game console.

Due to its popularity, this game machine was initially sold by lottery at many stores. Men applied many times, but it was hard to win. The man said that his friends around him had started to get it, and he was getting impatient. I searched for it at the source.

Displayed sites

When I typed "PS5 in stock", the game console that was not available so much was displayed as "low in stock" on the sales site displayed as an advertisement at the top.

Although it is slightly higher than the normal selling price, I decided to purchase it without hesitation.

The sales site requires "member registration", so register your email address and set a password. I also entered my address, date of birth, etc. I chose to pay by bank transfer and immediately transferred the money to a nearby ATM. The transfer was made to an account in the name of an individual.

Although I hurriedly transferred it, I felt a little uncomfortable that the name was not a corporation, and after a while, I searched for the site name just in case.

And then...

We found multiple pieces of information pointing out that it was a "scam site."

I immediately contacted the bank that requested the transfer and asked them to cancel the transfer, but the transfer has already been completed. Two days later, when I checked directly with the bank where the money was transferred, they replied that the withdrawal was made within 2 hours of the transfer.

The man continued to receive a mysterious email from this site reminding him to repay the money he had paid.

In the end, the item never arrived and the price was never refunded.

The victim said
, "I was completely relieved because it is a search site that I use all the time, and I didn't know that ads appeared at the top of the search results, and I didn't think that fraudulent sites were mixed in. I can't help what happened, but I have a strong feeling that I was cheated, that I was a jerk."

Malicious sites in "Search Results"

One of the reasons men were deceived is that "I searched and it came out on top."

Search sites have a mechanism called "listing ads" in which ads related to search terms are displayed in a prominent place, such as at the top of search results.

Some of these listing ads and those that appear at the top of search results are mixed in with sites that are intended to be fraudulent, and more and more people are directed to malicious sites.

JR East Japan s reservation service "Ekinet" had a similar case in October and December last year.

When I searched for "Ekinet", a fake site different from the official site was displayed in the ad space at the top of the search results.

The advertisement displayed in December displayed the words "Ekinet" and "JR East Japan", but the domain at the end of the URL was ". su" (Soviet Union), which was different from the real thing.

When I accessed the site, unlike the page displayed in the official "Ekinet", I saw a page that looked very similar to the page introducing JR East's special Japan services. After that, the page was disguised as the member login page of "Ekinet" and asked to enter an ID and password.

This site is seen as a "phishing site" that steals card numbers, passwords, etc.

About 6% go through search sites

According to the Japan Cybercrime Control Center, there were 2,8818 reports last year regarding "fake sites" that imitate shopping sites of real companies and "fraudulent sites" that pretend to be fictitious companies.

This was an increase of 1,940 cases compared to the previous year.

As for the reason why whistleblowers learned about these malicious sites, "Internet search results" exceeded guidance from e-mail and SNS, and 6% of the respondents did.

There have been cases where such malicious sites have been discovered.

In March, the Aichi Prefectural Police arrested members involved in a "fraudulent site" that abused listing ads. According to the police, the "scam site" in which the arrested members were involved made to transfer money by claiming to sell "PlayStation 3", and the amount of damage amounted to at least 5 million yen nationwide in the 3 months from March last year to January this year.

In order to avoid detection, "fraudulent sites" seem to be operated while repeating minor changes, and at least 1 sites with such methods have been confirmed.

The police believe that the site where the Kochi man was deceived mentioned at the beginning of the article is also related.

Why are malicious sites in "ad space"?

According to the security company, the right to display advertisements is allocated in an auction format according to the bid amount, etc. for each set search keyword.

In order to appear in ad space, it is not only necessary to win a high bid, but also depends on various factors such as the relationship between the keyword and the content of the site, the location and time of day of the searcher.

The reason why sites that sell game consoles and ticket reservation sites were displayed in the advertising frame is that the "operator" of the malicious site "won the bid" for the right to display the advertisement under this mechanism.

Listing ads on search sites are displayed higher than normal search results, and even if the ads are from malicious sites, they may be displayed at the top if they bypass the screening process and win the ad space.

What is the response of the search site?

When we interviewed Google, a major search site, about the inclusion of advertisements on fraudulent sites and fake sites, the following answers were received, saying, "We try to eliminate malicious advertisements."

Google Answer:
"We are aware of the latest methods used by malicious third parties to circumvent our systems and regularly update our machine learning models to flag sources such as ad-related scams. While we are able to detect and act more proactively on ads and accounts before they are served, "our systems are constantly improving, but as attack techniques change,

fraudulent ads may be overlooked."

Fake products on that mail-order site are also "top searches"

Further research revealed that malicious sites are not limited to advertisements, but can also appear at the top of search results.

With the help of a security company, we investigated what happens when you access an actual malicious site.

For example, if you search for "Amazon login"...

Multiple sites with the letters Amazon were displayed.

When you access one of these, you will see a page that looks exactly like the Amazon login screen. However, when I looked closely at the URL, it was different from the regular site.

When I entered my email address and password and clicked "Login", the message "Important Notice" appeared.
* Since it is a demonstration by a security company, please do not enter it in practice.

As "to strongly protect your account", there is a screen asking for "captcha authentication" that reads and enters distorted numbers and characters like a real login page. However, even though I entered it as instructed, it did not proceed to the next page and the screen asked for the password again.

It is considered to be a clever phishing site that tries to steal multiple combinations of passwords by repeatedly entering IDs and passwords.

"Cloaking" to trick the search

Why do these malicious sites appear at the top of searches?

According to the security company, one of the things that the site seems to be doing is "optimization (SEO) measures" to appear at the top of the search results.

For example, frequently used keywords for search can be scattered in the title or site, and updated more frequently to make it easier for search sites to be evaluated.

In addition, it is believed that some malicious sites use a method called "cloaking" to trick robots = crawlers on search sites that collect information from various sites.

For example, when a crawler accesses the site, it displays content that appears to be a "harmless site" that is not a site for phishing purposes, while when a general user accesses it through search, it seems that a mechanism is in place to display a "malicious site".

This "cloaking" is, of course, an extremely malicious act that is prohibited from the search site side.

What should I do? We also need to change our mindset

Malicious sites use a variety of methods to get you to appear in search results.

In order not to be deceived,
▽ Be aware that "what is displayed at the top of the search = not always correct information".
Instead of accessing the login site from a search, it is effective to ▽ set bookmarks in advance when you create an account,
▽ use the official app,
▽
supplement it with software that determines phishing.

For sites that you are using for the first time, you can also minimize risks by using prepaid cards with limits.

Search sites are indispensable to our lives, but it is necessary to master them with an awareness of the risk of malicious sites being mixed in.

NHK News Post

#デジタルでだまされない
interview team is looking for your opinions on how not to be fooled by your experiences.