Independent research conducted by CensusWide for Menlo Security, Inc. (Menlo Security), a leader in cloud security, has revealed that one in three UK consumers believe that over half of all advertisements on websites or social media sites are generated by AI (artificial intelligence).
Menlo Security is warning of an increase in ‘malvertising’, a form of highly evasive threat where malware is embedded into online or social media ads – due to the rise in convincing fake ads created by AI tools like ChatGPT and image generators, like Midjourney and DALLE. The research also highlights that many are unaware of the risks of clicking on fake, and therefore potentially malicious, advertisements.
The vast majority (70%) of respondents don’t know they can be infected with malware by clicking on a brand logo despite an increase in impersonated brands like Microsoft and Google. Around half (48%) are unaware they can be infected via a social media ad and 40% don’t know they can be infected by clicking on pop-ups and banners. By comparison, almost three-quarters (73%) understand they can be infected by malware hidden in an email link.
In the study, 70% of consumers say they click on advertisements on the internet ‘to some extent’; this is despite AI-generated ads making it more difficult to identify them as malicious. As people visit sites with infected ads, they may unknowingly download malware onto their device. On average, one out of 100 online ads is malicious, but Menlo Security warns that this could rise as more AI tools and software become available and easy to use.
Almost a third (31%) of all respondents are not confident in their ability to recognise and avoid malvertising threats. This rises to 40% in women and 41% of over-55s.
Consumer trust varies according to the nature of the site. Social networking sites such as Facebook and Instagram are seen as more trustworthy, with one in five people trusting these sites not to have malvertising, while Twitter is less so (with only 14% trusting it not to have malvertising). This trust increases slightly for sites such as Amazon (28%) and Google (25%).
Tom McVey, AI security spokesperson at Menlo Security, comments: “The growing prevalence of AI generated content online will only fuel highly evasive threats such as malvertising. AI used maliciously can not only generate convincing text, it can also generate images which can be made to appear like popular brands or logos. Our research has found that you’re only 3-7 clicks away from malware online. When users click a false link, cybercriminals can inject their malware onto the victim’s device, most commonly for financial gain. With malware-as-a-service and AI generated text and images easily accessible, even attackers with little or no skills can create convincing ads – we’re expecting a big uptick in malvertising as a result.
“The research found that only 32% wouldn’t trust any website not to contain malvertising, but awareness of the risks needs to increase so that anyone online applies caution to clicking on adverts on any website, no matter how much they trust it. For example, we found that the top three brands impersonated by malicious threat actors over the last 90 days, to steal personal and confidential data, were Microsoft, Facebook, and Amazon. Some people may be shocked to learn that even the most credible websites are not immune to malvertising.”
Tom McVey shared the following top tips to avoid being the victim of malvertising:
• Carefully check URLs (website addresses) before clicking: Hover your mouse over the advert until the URL appears and check it properly to see if it’s what you’d expect. Threat actors can often use convincing domain names by replacing certain characters to trick the eye. For example, a lower case ‘l’ can sometimes look like an ‘i’ in ‘Microsoft’. However, whilst they can make use of clever tricks to make a website address look similar, they won’t be able to use the actual domain name of the site you think you’re clicking on – so checking carefully is one of the best ways to tell.
• Look at the brand logo used to see if it looks genuine. Often when a logo is copied, it can appear stretched, squashed or pixilated, or if the background colour looks strange to you, for example a Microsoft logo on a black background, this could be a sign that it’s not legitimate; companies often have strict branding guidelines that malvertising attackers won’t necessarily follow.
• Consider what the advert is asking you to do. Legitimate brands often place adverts to measure the number of impressions made i.e., how many people have viewed the advert. Malvertising campaigns do not care about impressions, instead they will usually have a call to action asking you to ‘click here’ or ‘buy now’. These types of ads should be treated with caution.
• Take a cautious approach to adverts, no matter the credibility of the website. Whilst credible news sites, such as the BBC, may have a higher vetting process for the adverts they publish than less well-known sites, they are not immune to malvertising. The same rules apply in taking a cautious attitude to clicking on ads.
• Beware of redirections. If you do click on an advert and it takes you through to the site you expected, be aware that the more ads you click on the higher chance you have of encountering malware. Each ad click will likely bring you to a website with less stringent vetting procedures than the last; highly credible websites don’t need to place banner ads to get you to visit.