ATTACK TECHNIQUES

Malvertising explained: when the sponsored ad is the scam

You search for your bank, an exchange, or an app. The very first result, labeled "Sponsored," looks perfect. Sometimes that ad is the trap.

SB

SafeBrowz Threat Research Security ResearchJune 15, 202611 min read

What malvertising actually means

Malvertising is short for malicious advertising. It is the practice of using the ad ecosystem itself, the same one that funds search engines, news sites, and free apps, as a delivery channel for scams and malware. The ad placement is real. The ad network is real. The "Sponsored" or "Ad" label is real. What is fake is where the ad sends you.

For most people this comes down to one uncomfortable fact. The top result when you search for a brand is not guaranteed to be that brand. Paid ads sit above organic results, and a scammer can outbid or out-target the legitimate company for a window of hours before the ad is caught and pulled. During that window, the scammer's lookalike sits in the exact spot your eye expects the real site to be.

This is not a fringe problem. In its 2025 Ads Safety Report, Google said it blocked or removed more than 8.3 billion ads and suspended 24.9 million advertiser accounts over the year, including hundreds of millions of scam ads. Those are the ones caught. The business model only works for attackers because some always get through first.

The two forms you will actually meet

Display banners and pop-up ads get the headlines, but the two malvertising forms that catch ordinary people both live in the search results.

Search-ad brand lookalikes

You search for a brand you already trust. A bank, a crypto exchange, an email provider, a streaming service. The first result is a sponsored ad. Its display name reads like the real brand, its favicon is the real logo, and the green or grey URL printed underneath is a lookalike that most people never read. You click, you land on a page that is a pixel copy of the real login, and you type your credentials straight into the attacker.

The destination is the whole game. A real login for an exchange lives on coinbase.com. A sponsored result that takes you to a lookalike like coinbase-login-secure.vercel.app or coinbase-verify-account.com is a credential trap, not the exchange. The Hacker News documented a January 2025 campaign where fake Google Ads targeting Google Ads users themselves harvested logins and even 2FA codes. If the people who run ads for a living get hit, regular searchers do not stand a chance on instinct alone.

Fake-download ads

You want a piece of free software. Zoom for a meeting in ten minutes. Notepad++ for a quick edit. A new browser. You search the app name, the sponsored result offers the download, and the installer it serves is the real app stitched together with an infostealer that quietly sweeps your saved passwords, browser cookies, and crypto wallet data.

The 2025 reporting here is thick. Sophos detailed a campaign it called TamperedChef in which Google Ads pushed a trojanized PDF editor that looked legitimate and silently dropped an infostealer on Windows. Malwarebytes tracked sponsored Google ads impersonating DeepSeek in March 2025 to deliver malware, and a December 2025 campaign that funneled Mac users through poisoned AI-chat pages to the AMOS infostealer. The pattern repeats with whatever software is trending. A fake download page like google-chrome-setup.pages.dev or coinbase-wallet-download.vercel.app is a malware dropper wearing the name of software you actually wanted.

The cruel part is the timing. Infostealer payloads often do nothing visible. No popup, no crash. The app you searched for even works. The theft shows up days later when your accounts log in from a strange city or a wallet you barely touch drains in a single transaction.

Why even Google and Bing ads get abused

Ad networks review ads, so how does the malicious one ever go live? The answer is cloaking. The attacker builds two destinations behind one ad. The reviewer, and Google's automated crawlers, get shown a clean decoy page that breaks no rules. The real visitor, fingerprinted by location, device, browser, and referrer, gets served the malicious money page. The ad passes review because the reviewer literally never sees the bad version.

Layered on top of cloaking is speed. Attackers rotate advertiser accounts and landing-page domains constantly. An account is created, a card is charged, an ad runs for hours, and by the time the network flags it the campaign has already moved to a fresh account and a new lookalike domain. Some operators hijack legitimate, already-trusted advertiser accounts so the ad inherits a clean history, a technique Malwarebytes documented under the name "the great Google Ads heist" in January 2025.

None of this means Google or Microsoft are negligent. It means ad review is an arms race against an adversary who only needs to win for a few hours per domain. The defense cannot be "trust the network caught it." The defense has to be your own habits at the moment you click.

Red flags before you click a sponsored result

You do not need to be technical. You need a short checklist you run every time, especially when money or a login is involved.

• The "Sponsored" or "Ad" label is a yellow flag by itself. It is not proof of a scam, but it means a result earned its position by paying, not by being the most relevant. For a brand you can name, the paid slot is the one slot a scammer can buy.
• Read the visible ad URL, not the headline. The big blue title can say anything. The actual domain printed under it is what you are clicking. coinbase.com is the brand. coinbase-verify-account.com is a lookalike. The difference is the entire point.
• Scroll past the sponsored block to the first organic result. Organic results cannot be bought into the top slot the way ads can, and the real brand almost always sits there. If the organic result and the ad point to different domains, trust the organic one.
• Type the domain directly or use a bookmark for anything sensitive. For your bank, your exchange, your email, do not search at all. Type the address you already know, or click a bookmark you saved on a day you were not in a hurry.
• Never download software from an ad. Go to the vendor's known domain directly. The free app you want is on the maker's real site, not on a sponsored landing page named after it.
• A login screen that arrived right after a sponsored click deserves suspicion. If you searched, clicked an ad, and immediately face a login asking for your password, stop. Open a new tab and reach the real site yourself.
• Verify an installer's signature when you can. On Windows, right-click the file, check Properties, then Digital Signatures, and confirm the publisher name matches the real company. On Mac, an unsigned or wrong-developer app is a hard stop.
• Run an ad-blocker. A content blocker that removes search ads removes the entire malvertising attack surface for search. You lose nothing real, because the organic results are right below.

What to do if you already clicked

If you entered a password on a lookalike page reached from an ad, change that password immediately from a device you trust, and turn on or reset two-factor authentication. If you reused that password anywhere, change it there too. Our guide to telling if a website is a scam walks through confirming whether the page was real.

If you downloaded and ran an installer from an ad, treat the machine as compromised. Disconnect it, run a reputable malware scan, and from a separate clean device rotate the passwords for your email, banking, and any crypto accounts. If you hold crypto, assume seed phrases and wallet data may have been read, and move funds to a fresh wallet. Our seed-phrase recovery guide covers the order to do this in.

Report the ad. In the United States, file with the FTC at reportfraud.ftc.gov and, for financial loss, the FBI at ic3.gov. Use the report link Google and Microsoft attach to each ad so the network can pull the campaign faster. Reporting one lookalike protects the next searcher.

How SafeBrowz blocks this threat

Malvertising is a delivery problem, not a content problem. The ad gets you to a destination, and the destination is where SafeBrowz works. We do not need to see the ad. We check the page the ad sent you to.

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. A known brand name appearing on a non-official lookalike domain is flagged content-free, so a Coinbase or bank login on a typosquat is caught even before the page draws. Free-hosting download pages (*.vercel.app, *.pages.dev, and similar) get no free pass from the platform's reputation.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs to catch destinations already reported in the wild.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis reads the landing page itself and flags fresh lookalikes and fake-download fronts that no blocklist has seen yet, in seconds.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

FAQ

Is every sponsored result a scam?

No. Most sponsored results are legitimate businesses paying for placement. The risk is that the one paid slot above the organic results is the one slot a scammer can also buy, and for a brand you already know, that slot is the easiest place to impersonate it. Treat sponsored results for banks, exchanges, and software downloads with extra care, and prefer the organic result or a direct address.

How is malvertising different from regular phishing?

Phishing is the broad category of tricking you into handing over credentials or money. Malvertising is one delivery method for it: instead of an email or text, the lure is a paid ad, usually a sponsored search result. The fake login page at the end can be identical. The difference is how you arrived, by clicking an ad rather than a message.

How do bad ads pass Google and Bing review?

Mainly through cloaking. The attacker shows a clean, policy-compliant page to the ad network's reviewer and crawler, and serves the malicious page only to real visitors based on location, device, and other signals. Combined with rapidly rotating advertiser accounts and landing-page domains, this lets a campaign run for hours before it is caught and removed.

Will an ad-blocker stop malvertising?

For search ads, largely yes. If a content blocker removes the sponsored results, it removes the malicious search ad along with them, and the real organic result is still right below. It is not a complete defense on its own, since you can still reach a lookalike by other routes, but it shrinks the attack surface a lot at no real cost.

I downloaded software from a sponsored ad. What now?

Treat the device as compromised. Disconnect it, run a reputable malware scan, and from a separate clean device change the passwords for your email, banking, and crypto accounts and reset two-factor authentication. If you hold crypto, assume wallet data was read and move funds to a fresh wallet. Infostealers often act days later, so do not wait for a visible symptom.

How can I tell the real download site from a fake one?

Go to the software maker's known domain directly rather than through any ad, and read the URL before you download. Verify the installer's digital signature matches the real publisher. When in doubt, paste the link the ad pointed to into a scanner like the one on this page and check the verdict before running anything.

Are display banners and pop-up ads also malvertising?

Yes. Malvertising also includes booby-trapped display banners and pop-ups that redirect to scareware, fake tech-support pages, or drive-by download sites. For everyday users the search-ad forms cause the most direct account and wallet loss, which is why they are the focus here, but the same defense applies: do not act on what an ad pushes, reach the real site yourself.