Exploring Malvertising Driven by Brand Impersonation in Search Engine Ads
J.L. Dekker (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Platon Kotzias – Mentor (BforeAI)
Harm Griffioen – Mentor (TU Delft - Cyber Security)
Mitchell Olsthoorn – Graduation committee member (TU Delft - Software Engineering)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Malvertising is a significant threat, in which attackers leverage online advertisements to deceive users and distribute scams, phishing pages, and malware. While prior research has largely focused on low-tier ad networks and high-risk websites, this study examines brand impersonation in mainstream search advertising platforms, specifically Google Ads.
We queried Google with brand-related search terms, capturing and analyzing the advertisements displayed to assess the scale and nature of impersonation. Over a 24-day period, our scraper collected a dataset of 52k ads across 605 brands, extracting key features such as advertiser identity, redirection chains, and landing page content.
Using a combination of manual inspection and six brand-agnostic heuristics, we identify various forms of abuse, including phishing pages, tech support scams, and a previously undocumented category, affiliate brand bidding. This last technique, in which affiliates place search ads to divert users through affiliate links, affects at least 189 brands in our dataset.
In total, 4,160 ads (7.9%) were flagged as abusive, 3781 of which involved affiliate brand bidding. Our results further reveal that verified Google Ads accounts are being rented or resold, enabling systematic evasion of identity checks. These findings expose enforcement gaps in Google’s ad review and verification systems.