It's an age-old truism that you need to spend money to make money, and it can be especially effective in the world of online advertising.

For criminals looking to break into online password managers, the payouts are potentially huge if their fake login pages are at the top of Google search. Here's a very real reason why you should take care to avoid clicking on adverts in search results.

Google Adverts Look Like Real Search Results

The Google search results page isn't what it used to be. In the early days of the search engine's rise to dominance, you'd type in your search term, hit return, and see a page of search results, sorted by Google's algorithm to be useful.

More recently, the top of the page is typically devoted to cruft Google wants you to see. Typical culprits include a snippet taken from a website or dictionary, a range of similar questions to your query, two or three adverts, and then the actual search results.

The visual style of most of these elements is different enough from the meat of the results that it's easy to scan past them and scroll down. The adverts, however, are not immediately recognizable.

They use the same link color as regular results, and have the same lengthy of summary and selection of sitelinks to URLs within the website. There isn't even a dodgy tracking URL.

The only clue that you're looking at a paid ad instead of a genuine organic search result is the word "ad" in black to the left of the URL, and above the headline. That means it's easy to accidentally click on an ad, and believe you'll be taken to the most relevant search result.

Clicking adverts by accident is a familiar and frustrating feeling. It's made worse by the fact that there's a tendency among older computer users to simply type the name of the service they want to use into the search field and then click on the top result, rather than type in the actual URL.

Do Cybercriminals Buy Top Search Results on Google?

Given how easy it is to be fooled by ads which appear as search results, it makes sense for malware mongers, hoaxers, grifters, phishermen, and other unsavory sorts to buy ad slots on Google.

After all, if you want people to sign into your carefully mocked-up spoof login page for outlook.com, it would take years of dedicated SEO work to even reach the front page—even then, you'll never knock the genuine Microsoft domain from the top spot. But if you buy an ad slot so that when someone searches for "outlook", your ad appears above the search results, and it is virtually indistinguishable, there's a good chance they'll attempt to log in. You then have their Outlook username and password.

How Are Hackers Using Search Results to Hack Into Password Managers?

using a bit warden password manager account vault

But having a user's email address and password can only get criminals so far. Security conscious citizens of the web have, in recent years, started to use password managers. These services allow you to generate and store fiendishly difficult unique usernames and passwords which are unique for each site.

Naturally, these password vaults are especially attractive to criminals as they contain the keys to your entire online life.

In late January 2023, Reddit users reported that searching for the term "bitwarden password manager" returned adverts for fake Bitwarden sites above the search results (according to Cyber Intel Mag).

Clicking on the links led users to the domains, bitwardenlogin(dot)com and appbitwarden(dot)com.

The sites appear identical to the genuine Bitwarden vault login page, and it would be easy for you to enter your email address and master password without ever realizing anything was wrong. With these details, criminals could easily access the rest of your passwords.

The domains have since been taken down, and are blocked by multiple DNS providers, but as anyone can buy ads on Google for any search term, there's no guarantee they won't return, using different spoof domains or target other password managers.

How to Protect Yourself From Malicious Ads

The simplest way to protect yourself from malicious ads posing as genuine services is to pay close attention to the results on the Google search results page. If the text "ad" or "sponsored" appears anywhere near the entry, avoid it, as there's no guarantee where you'll end up.

The genuine URL should appear below the text of the result, so check it matches up with the genuine URL. If you feel you'd be better protected by not seeing adverts in your Google search results at all, using an add-on such as uBlock Origin in conjunction with Firefox can help.

You should also type out the actual URL of the site you want to visit rather than searching and clicking on the top result. If this is likely to prove too arduous, and it's a site you regularly visit, bookmark it or add it to your favorites instead.

Phishing Is a Huge Threat to Your Security

Criminals will always want to steal your money and personal data, and the methods they use evolve as they seek out new opportunities and exploits.

Phishing is, by far, the most effective way they have of achieving their aims, which is why you need to know the best ways to avoid falling for it.