Google (re)attempts to defeat deceptive download buttons and ads

Original post, February 4: Last year Google made a promise to expand its Safe Browsing system to cover social engineering attacks, the kind where spammers try to trick you into divulging passwords or personal information. Well, today Google is expanding the scope of its social engineering defence even further, by tackling deceptive download ads too.

You know the ones, the pop-up ads you frequently encounter on streaming sites, telling you your device is infected with viruses or that your browser is out of date and all you need to do is “click here”. You’ll see them for all kinds of things – updating Flash Player, installing a movie-streaming app, updating Chrome, removing viruses – but the new addition to Safe Browsing aims to protect you from deceptive embedded ads or buttons.

The only problem is, it doesn’t exactly work as advertised. Safe browsing is enabled by default in Chrome, just go to Settings > Privacy > Safe Browsing to check. I thought I’d test this new protection by visiting one of the notoriously spammy movie streaming sites on the web, and every movie I tried to watch produced a new social engineering attack. Theoretically, you’re supposed to see this splash screen:

Now, the majority of these deceptive ads I saw were pop-ups or pop-unders – the kind that launch a new browser window – but there was still plenty of dodgy “Install” and mislabelled “Stream Now” buttons scattered around the sites, along with ads prompting me to update media players and so on. Perhaps it’s early days yet, but I’d advise you to still use utmost caution when visiting sites like these and only install apps from trusted sources.

Have you ever been caught out by a deceptive ad or Download button? How do you manage your browsing security?