Google says “No more” to deceptive download and play buttons in ads

library
crime | hacking | security

Google’s Safe Browsing project is designed to protect web users by throwing up a warning screen when you attempt to browse to insecure websites.

That includes sites that use untrusted certificates, harbor malware, foist deceptive software, or those suspected of tricking users with social engineering, such as phishing sites.

Now Google has added another category of social engineering to its Safe Browsing service – deceptive embedded content, including ads.

According to Google’s Lucas Ballard, Safe Browsing will consider embedded content on a webpage as social engineering if it:

Pretends to act, or looks and feels, like a trusted entity such as your device or browser, or the website itself.
Tries to trick you into doing something you’d only do for a trusted entity, like sharing a password or calling tech support.

Ads that violate this policy include those with warnings that your software is out of date and you need to update, sometimes mimicking dialogue windows like this one below.

Google also says embedded content such as “Download” or “Play” buttons are forbidden if they’re designed to look like they are related to actions on the site (like watching a streaming video), but may whisk you away to another unrelated website.

If you do come across a website with deceptive embedded content, you’ll get a bright red warning screen telling you there’s a “Deceptive site ahead,” and containing the message:

Attackers on XXXXX.XXX may trick you into doing something dangerous like installing software or revealing your personal information (for example, passwords, phone numbers, or credit cards).

There’s an option to go “Back to safety,” which will navigate you away from the site.

Google changed the design of its warning pages last year after it found 70% of Chrome users were ignoring them.