Google moves to encrypt ads following cyberattacks

All ads placed through Google will be encrypted by this summer.

Google made the announcement on Friday amid new revelations that digital scammers were taking advantage of its popular advertising service, DoubleClick, to launch cyberattacks on visitors to mainstream websites like The Huffington Post.

For the tech giant, it’s the culmination of efforts over the last year to encrypt ads on various Google services, including YouTube and Google.com.

{mosads}“With these security changes to our ads systems, we’re one step closer to ensuring users everywhere are safe and secure every time they choose to watch a video, map out a trip in a new city, or open their favorite app,” Google said.

The DoubleClick advertising network is the service of choice for many websites driven by ad revenue. Of the top one million most visited websites that use ad services, nearly 70 percent use DoubleClick.

But security experts over the past week uncovered two widespread hacking campaigns taking advantage of that wide reach.

Cyber crooks were luring users into clicking on a fake ad that injects malicious software into their computer.

The discovery shed light on the growing threat of malicious software being spread through ads, known as “malvertising.”

Nearly a week ago, MalwareBytes noticed a suspect ad for fashion company Hugo Boss that was popping up on real estate listing site Zillow.com and The Huffington Post homepage.

The nefarious ad was apparently spread through Google’s DoubleClick by way of third-party ad network AdButler.  

Unlucky users who clicked on it were in danger of getting ransomware, which holds the computer’s content hostage until the user pays a fee.

On Thursday, the researchers discovered another cyberattack being spread through DoubleCilck via another ad network, Merchanta.

Merchanta reaches 28 people monthly in the U.S. alone. Worldwide, the company’s ads reach over 95 percent of online consumers each month.

That allowed the “booby trapped ad” to expose millions of people “within minutes,” said Jérôme Segura, senior security researcher at Malwarebytes, in a blog post.

“Although DoubleClick is not directly responsible for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place,” he added.

Google has been working in recent years to encrypt its major products, such as its search function, Gmail and Google Drive.

Over the last year, it has started focusing on its ad products. YouTube ads were all encrypted by the end of 2014.

By June 30, the company said, “the vast majority of mobile, video, and desktop display ads” placed through Google will be encrypted.

Congress has also moved to address malvertising.

Sens. John McCain (R-Ariz.) and Carl Levin (D-Mich.) last year spearheaded an investigation into the nefarious strategy.

The Senate’s Subcommittee on Investigation released a lengthy report in May 2014 that called out online advertisers for not aggressively tackling the issue.

“We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online,” McCain said.