Do you trust Google search with navigating you to your trusted sites?
Most people do. But you shouldn’t. Or at least not without doing your due diligence.
This scam specifically targets Bing Ads advertisers but this loophole can be exploited for your online banking, financial institutions, email accounts social media accounts and anything you can think of that contains sensitive information. The hackers have swindled at least a hundred thousand dollars of which that have been confirmed from multiple undisclosed but reliable direct sources of mine.
I have broken this article into three critical sections:
- What is a phishing scam?
- How was money stolen using this phishing scam?
- How can you prevent getting scammed and swindled of your hard earned money?
What is a Phishing Scam?
By definition, a phishing scam an email that falsely claims to be a legitimate enterprise in an attempt to scam the user into surrendering private information to be used for identity theft. The Bing Ads phishing scam extends the mechanism used for phishing from email to search, specifically Google search.
How Was Money Stolen in the Bing Ads Phishing Scam?
The Bing Ads advertiser would type in bing ads into Google, or a similar keyword. The advertiser, which is the business owner or proxy of the business owner, will click into the first link that comes up.
Next, it takes the advertiser to this is the landing page:
The advertiser will attempt to login but redirects them to the Bing Ads login portal, seemingly again.
During the second attempt to login, the advertiser gets into his or her Bing Ads dashboard. During the initial login step, the hacker has transmitted the username and password from the unwary advertiser into their possession.
How does the hacker make money from this?
This is where the phishing scam takes an interesting turn: The hacker uses the advertiser’s Bing Ads account to run high budget pay per click campaigns funneling leads to a 3rd party company, who pays the hacker for each lead generated. In this scam, the 3rd party company is a pay day loans company and most likely is not in on the scam. The hacker gets paid, pay day loans company gets their leads, and the unlucky advertiser gets billed a big lump sum of money from Bing Ads.
How Can I Prevent Myself from Getting Scammed and Swindled? And How Did the Hacker Pull This Off?
In short, there is no hacker proof method for anything. The good news is that I have one tip that will go a long ways: Double check the web browser address bar.
At this point, you have probably noticed that the landing page URL looks sketchy but there may be a few more pieces of detail missing and if you have caught them all, the future looks bright for you! For everybody else…
- Did you notice the URL in the Google search results is different than the actual landing page URL? This is because Google Adwords, which is Google’s advertising platform, allows you to put a display URL which does not have to match the actual URL. This is the fundamental principal behind exploting the Google Adwords loophole.
- Did you notice that on the second Bing Ads landing page (the actual one), there is a green area in the address bar with a lock? This indicates that the website is behind a secure socket layer (SSL), otherwise known as an HTTPS connection, which means any data transmitted to the site is encrypted.
- So if I see the HTTPS connection, then I am on the correct website? No. It costs $10 and any hacker can set up an SSL certificate in under an hour. However, the one that large corporations use is typically VeriSign and those are expensive. What you want to do is click the green lock icon, click Connection and confirm that it is signed by VeriSign.
There are ways to exploit this safety check but oftentimes hackers will simply go for the easier prey.
Thank you for reading my article and if you found this helpful, please subscribe to my YouTube channel.