A recent study conducted by CensusWide for Menlo Security, a specialist in cloud security, has found that one in three UK consumers believe that more than half of all advertisements on websites or social media platforms are generated by artificial intelligence (AI).
Menlo Security is cautioning against the growing threat of "malvertising," which involves embedding malware into online or social media ads. This threat has been amplified by the rise of convincing fake ads created using AI tools like ChatGPT and image generators such as Midjourney and DALLE. The research also reveals that many people are unaware of the risks associated with clicking on fake ads, which can potentially be malicious.
The majority of respondents (70%) are unaware that they can be infected with malware by clicking on a brand logo, despite the increasing prevalence of impersonated brands like Microsoft and Google. Approximately half of the respondents (48%) are oblivious to the fact that they can be infected via social media ads, and 40% do not realize that clicking on pop-ups and banners can lead to malware infections. However, almost three-quarters (73%) understand that malware can be hidden in email links and can infect their devices.
Surprisingly, despite the difficulty in identifying malicious AI-generated ads, 70% of consumers admit to clicking on advertisements to some extent while browsing the internet. This poses a risk as users visiting sites with infected ads may unknowingly download malware onto their devices. On average, one out of every 100 online ads is found to be malicious, but Menlo Security warns that this number could increase as more AI tools and software become readily available and user-friendly.
Around 31% of respondents lack confidence in their ability to recognize and avoid malvertising threats, with the percentage rising to 40% among women and individuals aged 55 and above.
Consumer trust in terms of malvertising varies depending on the nature of the website. Social networking sites like Facebook and Instagram are viewed as more trustworthy, with one in five people believing that these platforms are free from malvertising. However, trust in Twitter is lower, with only 14% believing it to be free from malvertising. Trust levels increase slightly for sites like Amazon (28%) and Google (25%).
Tom McVey, an AI security spokesperson at Menlo Security, emphasizes that the growing prevalence of AI-generated content online will contribute to the rise of highly evasive threats such as malvertising. Malicious use of AI can produce convincing text and images that resemble popular brands or logos. Menlo Security's research reveals that users are only three to seven clicks away from encountering malware online. When users click on a fraudulent link, cybercriminals can inject malware onto their devices, typically for financial gain. With easily accessible malware-as-a-service and AI-generated text and images, even attackers with minimal skills can create persuasive ads, which is why an increase in malvertising is expected.
The research indicates that only 32% of respondents trust no website to be free from malvertising. It is crucial to raise awareness of the risks so that individuals exercise caution when clicking on ads on any website, regardless of their level of trust. For instance, the top three brands impersonated by malicious actors in the past 90 days, with the intent to steal personal and confidential data, were Microsoft, Facebook, and Amazon. It may come as a shock to some people that even the most reputable websites are not immune to malvertising.
To avoid falling victim to malvertising, Tom McVey suggests the following tips:
Carefully examine URLs (website addresses) before clicking. Hover your mouse over the ad until the URL appears, and scrutinize it to ensure it matches your expectations. Threat actors often use deceptive domain names by substituting certain characters to deceive the eye. For example, a lowercase 'l' might resemble an 'i' in "Microsoft." While attackers can employ clever tricks to make a website address appear similar, they cannot use the actual domain name of the site you believe you're clicking on. Hence, careful checking is one of the best ways to distinguish fraudulent ads.
Evaluate the authenticity of the brand logo. When a logo is copied, it may appear stretched, distorted, or pixelated. Additionally, if the background color seems unusual, such as a Microsoft logo on a black background, it could be a sign of illegitimacy. Legitimate companies often adhere to strict branding guidelines, which may not be followed by malvertising attackers.
Consider the actions requested by the ad. Legitimate brands often place ads to track the number of impressions, indicating how many people have viewed the ad. Malvertising campaigns disregard impressions and typically include a call to action asking you to "click here" or "buy now." Such ads should be approached with caution.
Maintain a cautious attitude toward ads, regardless of the website's credibility. While credible news sites like the BBC may have stricter vetting processes for the ads they publish compared to lesser-known sites, they are not immune to malvertising. The same cautious approach should be applied to clicking on ads.
Beware of redirections. If you do click on an ad and it takes you to the expected site, be aware that the more ads you click on, the higher the likelihood of encountering malware. Each ad click will likely direct you to a website with less rigorous vetting procedures than the previous one. Highly reputable websites do not need banner ads to attract visitors.