Unspoken Online Risks for Seniors

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Chris Olson of The Media Trust speaks on the unspoken online risks for seniors and how to virtually protect our most vulnerable citizens.

Your parents, grandparents, and elderly neighbors are under attack. Every time they access the internet — read the news, look up the weather, buy an online gift, place a grocery delivery order, log into a social platform — these aging adults are at risk of malware. From phishing and credit card theft to exploit kits and backdoors, these attacks often happen without their knowledge. Even worse, many attacks are scouting missions, seeking to better understand an individual in preparation for launching future, larger-scale, more harmful attacks.

Unfortunately, antivirus, endpoint, or creative blocking security solutions don’t stop these issues, leaving seniors exposed.

Unspoken Online Risks for Seniors

A key component to enabling digital trust and safety is identifying these risks— for both the media owner and the consumer. There are countless articles and “how-to” lists providing general information about online harms. But what seniors — a demographic projected to double in size by 2040 — really need are visual cues to these risks.

First stop: online advertising.

Online Ads are Risks for Seniors

Seniors experienced an 11X increase in malware throughout 2022. Unfortunately, it’s not looking any better for 2023. We have reviewed hundreds of advertising campaigns served during July and August 2023, and more than 250 distinct incidents exposed at least 15,000 seniors in the U.S. to malware.

These threats go beyond clickbait— ads that attract attention with sensationalized headlines and encourage clickthrough to a page. While the goal of clickbait is to bring individuals to a specific page, the main impact on consumers is negligible beyond an eyesore, NSFW content, or an ego bruise.

These ads cause actual harm — from device infection to financial theft — and should be avoided at all costs.

Backdoors are a Prelude to an Attack

Backdoors are attacks used to deliver a wide variety of known malicious payloads with or without user interaction. This is even more damaging when the compromised device has access to password-protected sites like social media platforms and banking accounts. When these ads are clicked, the consumer is presented with a popup or is automatically redirected to a range of content in the form of fake software updates, technical support scams, infected device alerts, and browser hijacks that attempt to install potentially unwanted programs. They are closely associated with the propagation of ransomware, keystroke loggers, and cryptominers— slowing device performance by using system resources to mine for cryptocurrency.

E-Skimming – Stealing Your Credit Card and Your Life.

After a spring full of incidents, e-skimming attacks pared down to just a few incidents this summer. The attacks inject malicious files into an otherwise legitimate website to enable theft and/or unauthorized use of consumers’ sensitive data when visiting a compromised website. The theft typically occurs when a consumer fills out a form, and the data input is routed to an unauthorized third party— a scary scenario when you think of online shopping.

Ads associated with e-skimming attacks are usually detected upon analysis of a campaign’s clickthrough action — code that executes when a digital ad is clicked — or the landing page URL. In effect, the ads resolve to a compromised website that allows theft of sensitive consumer information — e.g., username, address, credit card information, passwords, and more. Be on alert as we go into the holiday season.

Phishing – Capturing Your Details and Your Data.

 Often initiated via redirects to popups promoting surveys, fake viruses/updates, or prizes, phishing attacks seek personal consumer information— e.g., address, gender, income level, etc. The goal is to know the device and the user, setting the stage for more targeted future attacks.

It’s a popular attack vector, serving as the root of several large-scale malvertising campaigns during the past few years, including the malevolent and prolific GhostCat. The attacks can be overt by asking the consumer to fill out a survey (input data) or stealthy by making background connections to exfiltrate sensitive data. Bad actors are constantly trying new evasion and obfuscation tactics— mobile-only attacks, grocery store rewards, celebrity clickbait, Apple Pay, steganography, and so many more.

The attacks range from mundane ads/creative imagery resolving to a compromised site to more advanced ads that only trigger the compromised landing page when certain conditions are met, e.g., mobile device actively moving, or the presence of a specific program found on a device. (Gulp— yes, those seemingly benign backdoors and phishing risks are very real).

Scams – Misleading Tactics Mask Bad Behavior.

Scams come in many shapes and sizes, affecting both businesses and consumers. In general, scams are schemes to defraud consumers by promoting goods with false claims or misleading them into sharing personal information that can be leveraged in future attacks. These campaigns typically clickbait to advertise products/services. The ads may also incorporate well-known brands and/or medical professionals to bolster their credibility.

Defining a scam takes a little extra work. While the unauthorized collection of personal information is similar to phishing attacks, scam ads resolve to a landing page that executes the harm. These landing pages don’t follow basic website requirements: no contact information, no address, no formal legal entity name, or the legal entity has no clear ownership. (Remember the endless promotion of Coronavirus-related goods that were useless?)

Don’t Harm Grandpa.

Seniors represent 17 percent of today’s U.S. population, a number that will continue to grow exponentially. This vulnerable population didn’t grow up with the internet, and sometimes they have a misplaced assumption of safety during their online journeys. Or sometimes their fear of computer viruses and other digital dangers will cause them to trust unsavory actors, such as the perpetrators of the prolific Dolos threat. Online risks for seniors are very real. Premium websites and mobile apps are diligent in their responsibility to deliver trusted experiences.

Sadly, that’s not the case for every digital player. One thing’s for sure, however: we can’t sit back and let seniors be harmed.