Prioritizing the safety of a vulnerable community is the right thing to do.
Your grandparents, elderly neighbors, and community leaders are under attack. Every time they access the internet—read the news, look up the weather, buy an online gift, place a grocery delivery order, log into a social platform—these aging adults are at risk of malware. Yeah, online risks for seniors are real.
From phishing and credit card theft to exploit kits and backdoors, these attacks often happen without their knowledge. Even worse, many attacks are scouting missions, seeking to better understand an individual in preparation for launching future, larger-scale, more harmful attacks. Unfortunately, antivirus, endpoint, or creative blocking security solutions don’t stop these issues, leaving seniors exposed.
A key component to enabling digital trust and safety is identifying these risks—for both the media owner and the consumer. There are countless articles and “how-to” lists providing general information about online harms. But, what seniors—a demographic projected to double in size by 2040—really need are visual cues to these risks. First stop: online advertising.
Have you seen me? Online Risks for Seniors
Seniors experienced an 11X increase in malware throughout 2022. Unfortunately, it’s not looking any better for 2023. The Media Trust reviewed hundreds of advertising campaigns served during July and August 2023, and more than 250 distinct incidents exposed at least 15,000 seniors in the U.S. to malware. [Figure 1]
Figure 1: Different malware behaviors affecting seniors during their online journeys
These threats go beyond clickbait—ads that attract attention with sensationalized headlines and encourage clickthrough to a page. While the goal of clickbait is to bring individuals to a specific page, the main impact to consumers is negligible beyond an eyesore, NSFW content, or an ego bruise.
These ads cause actual harm—from device infection to financial theft—and should be avoided at all costs.
Backdoor – prelude to an attack
Backdoors are attacks used to deliver a wide variety of known malicious payloads with or without user interaction. This is even more damaging when the compromised device has access to password-protected sites like social media platforms and banking accounts.
Figure 2: Backdoors: Notice how these ads ask the user to do something. The requested action leads to the installation of an unwanted program that implants a backdoor on their device.
When these ads are clicked, the consumer is presented a popup and/or is automatically redirected to a range of content in the form of fake software updates, technical support scams, infected device alerts, and browser hijacks that attempt to install potentially unwanted programs (PUPs—e.g., toolbars, adware, ad injection, etc). These PUPs are closely associated with the propagation of ransomware, keystroke loggers, and cryptominers—slowing device performance by using system resources to mine for cryptocurrency.
E-skimming – stealing your credit card, your life
After a spring full of incidents, e-skimming attacks pared down to just a few incidents this summer. The attacks inject malicious files into an otherwise legitimate website to enable theft and/or unauthorized use of consumers’ sensitive data when visiting a compromised website. The theft typically occurs when a consumer fills out a form and the data input is routed to an unauthorized third-party—a scary scenario when you think of online shopping.
Ads associated with e-skimming attacks are usually detected upon analysis of a campaign’s clickthrough action—code that executes when a digital ad is clicked—or the landing page URL. [Figure 3]. In effect, the ads resolve to a compromised website that allows theft of sensitive consumer information—e.g., user name, address, credit card information, passwords, and more. Be on alert as we go into the holiday season.
Figure 3: This banner ad sent seniors to a compromised landing page with e-skimming in August.
Phishing – capturing your details, your data
Often initiated via redirects to popups promoting survey, fake virus/update, or prize, phishing attacks seek personal consumer information—e.g., address, gender, income level, etc. The goal is to know the device and the user, setting the stage for more targeted future attacks.
Figure 4: Sampling of digital advertisements confirmed to be phishing attacks in August.
It’s a popular attack vector, serving as the root of several large-scale malvertising campaigns during the past few years, including the malevolent and prolific GhostCat. The attacks can
be overt by asking the consumer to fill out a survey (input data) or stealthy by making background connections to exfiltrate sensitive data. Bad actors are constantly trying new evasion and obfuscation tactics—mobile-only attacks, grocery store rewards, celebrity clickbait, Apple Pay, steganography, and so many more.
The attacks range from mundane ads/creative imagery resolving to a compromised site to more advanced ads that only trigger the compromised landing page when certain conditions are met, e.g., mobile device actively moving or the presence of a specific program found on a device. (Gulp—yes, those seemingly benign backdoors and phishing risks are very real). [Figure 4]
Scams – misleading tactics mask bad behavior
Scams come in many shapes and sizes, affecting both businesses and consumers. In general, scams are schemes to defraud consumers by promoting goods with false claims or mislead them into sharing personal information that can be leveraged in future attacks. [Figure 5] These campaigns typically clickbait to advertise products/services. The ads may also incorporate well-known brands and/or medical professionals to bolster their credibility.
Figure 5: Sometimes your instincts are right. These ads are promoting goods and services that are too good to be true
Defining a scam takes a little extra work. While the unauthorized collection of personal information is similar to phishing attacks, scam ads resolve to a landing page that executes the harm. These landing pages don’t follow basic website requirements: no contact information, no address, no formal legal entity name or the legal entity has no clear ownership. (Remember the endless promotion of Coronavirus-related goods that were useless?)
Don’t harm Grandpa
Seniors represent 17% of today’s U.S. population, a number that will continue to grow exponentially. This vulnerable population didn’t grow up with the internet, and sometimes they have a misplaced assumption of safety during their online journeys. Or sometimes their fear of computer viruses and other digital dangers will cause them to trust unsavory actors, such as the perpetrators of the prolific Dolos threat. Online risks for seniors are very real.
Premium websites and mobile apps are diligent in their responsibility to deliver trusted experiences. Sadly, that’s not the case for every digital player. One thing’s for sure, however: The Media Trust is not gonna sit back and let seniors be harmed. We’re constantly on the lookout for malicious activity affecting all consumers.
