SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
AI
#
Cloud Security
#
Cybersecurity
1 in 3 UK customers wary of AI-generated ads: Menlo Security
Fri, 16th Jun 2023
Author image
By Gaurav Sharma, Journalist
Follow us

Independent research conducted by CensusWide for Menlo Security, a cloud security provider, has revealed that one in three UK consumers believe that over half of all advertisements on websites or social media sites are generated by artificial intelligence (AI).

Menlo Security is warning of an increase in "malvertising", a form of highly evasive threat where malware is embedded into online or social media ads, due to the rise in convincing fake ads created by AI tools like ChatGPT and image generators, like Midjourney and DALLE. The research also highlights that many are unaware of the risks of clicking on fake, potentially malicious advertisements.

Most (70%) respondents don't know they can be infected with malware by clicking on a brand logo despite an increase in impersonated brands like Microsoft and Google. 

Around half (48%) are unaware they can be infected via a social media ad, and 40% don't know they can be infected by clicking on pop-ups and banners. By comparison, almost three-quarters (73%) understand they can be infected by malware hidden in an email link.

In the study, 70% of consumers say they click on advertisements on the internet "to some extent" despite AI-generated ads making it more difficult to identify them as malicious. People visiting sites with infected ads may unknowingly download malware onto their devices. On average, one out of 100 online ads is malicious, but Menlo Security warns that this could rise as more AI tools and software become available and easy to use.

Almost a third (31%) of all respondents are not confident in their ability to recognise and avoid malvertising threats. This rises to 40% in women and 41% of over-55s.

Consumer trust varies according to the nature of the site. Social networking sites such as Facebook and Instagram are seen as more trustworthy, with one in five people trusting these sites not to have malvertising. At the same time, Twitter is less so (with only 14% trusting it not to have malvertising). This trust increases slightly for sites like Amazon (28%) and Google (25%).

“The growing prevalence of AI generated content online will only fuel highly evasive threats such as malvertising. AI used maliciously can not only generate convincing text, it can also generate images which can be made to appear like popular brands or logos. Our research has found that you’re only 3-7 clicks away from malware online. When users click a false link, cybercriminals can inject their malware onto the victim’s device, most commonly for financial gain. With malware-as-a-service and AI generated text and images easily accessible, even attackers with little or no skills can create convincing ads – we’re expecting a big uptick in malvertising as a result,” says Tom McVey, AI security spokesperson at Menlo Security.

“The research found that only 32% wouldn’t trust any website not to contain malvertising, but awareness of the risks needs to increase so that anyone online applies caution to clicking on adverts on any website, no matter how much they trust it. For example, we found that the top three brands impersonated by malicious threat actors over the last 90 days, to steal personal and confidential data, were Microsoft, Facebook, and Amazon. Some people may be shocked to learn that even the most credible websites are not immune to malvertising.”

Sharing the top tips on avoiding being the victim of malvertising, McVey advises carefully checking URLs (website addresses) before clicking. 

“Hover your mouse over the advert until the URL appears and check it properly to see if it’s what you’d expect. Threat actors can often use convincing domain names by replacing certain characters to trick the eye. For example, a lower case ‘l’ can sometimes look like an ‘i’ in ‘Microsoft’. However, whilst they can make use of clever tricks to make a website address look similar, they won’t be able to use the actual domain name of the site you think you’re clicking on, so checking carefully is one of the best ways to tell.” 

He says to look at the brand logo used to see if it looks genuine.  

Often when a logo is copied, it can appear stretched, squashed or pixilated, or if the background colour looks strange to you, for example, a Microsoft logo on a black background, this could be a sign that it's not legitimate; companies often have strict branding guidelines that malvertising attackers won't necessarily follow. 

“Consider what the advert is asking you to do. Legitimate brands often place adverts to measure the number of impressions made i.e., how many people have viewed the advert. Malvertising campaigns do not care about impressions, instead they will usually have a call to action asking you to ‘click here’ or ‘buy now’. These types of ads should be treated with caution,” he adds. 

“Take a cautious approach to adverts, no matter the credibility of the website. Whilst credible news sites, such as the BBC, may have a higher vetting process for the adverts they publish than less well-known sites, they are not immune to malvertising. The same rules apply in taking a cautious attitude to clicking on ads.” 

Finally, beware of redirections, he says. “If you do click on an advert and it takes you through to the site you expected, be aware that the more ads you click on the higher chance you have of encountering malware. Each ad click will likely bring you to a website with less stringent vetting procedures than the last; highly credible websites don’t need to place banner ads to get you to visit.”   

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
Jason Haddix joins Flare as Field Chief Information Security Officer
High Performance Podcast duo to keynote Infosecurity Europe conference
New UK cybersecurity law takes effect amid evolving threats
Top stories
The messaging evolution and the fight against fraud
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity