At the end of 2021, Nordic Choice Hotels, now renamed Strawberry, was hit by a major ransomware attack that paralyzed operations for just over a week. Everything had to be done manually, says Martin Belak, who is responsible for the hotel chain’s technical security.
“The receptionists worked with whiteboards to keep track of which rooms were booked,” Belak says.
The attack prompted Strawberry to accelerate its transition from its Windows environment to a Chrome OS environment in record time, migrating 4,000 devices in a week.
“We are Google-heavy and have the entire Google Workspace. We are a large customer and have a close relationship,” says Belak.
But while he thinks Google’s tools work very well, there is something that rubs him the wrong way, a stone in the sand, and that is Google’s search service and the lack of control over Google’s advertising service.
“The biggest problem is that Google does not verify which advertisers are allowed to have paid search positions. They do not check authenticity or do background checks, which means they allow both legal and criminal actors,” says Belak.
Anyone who searches for, for example, a supplier in the search field risks ending up on a purchased page posted by a criminal actor — a technique commonly referred to as malvertising.
“The criminals buy keywords and create fake landing pages that are identical to legitimate ones and also make sure that the URLs are similar to the real URLs. We are exposed to this type of fraud attempt every day. Fortunately, our security layers catch most of them, but those that get through cost us both trust and money. We need to compensate victims, while also handling the administrative costs of reporting the incidents to the Swedish Authority for Privacy Protection,” says Martin Belak.
Enough is enough
Strawberry has tried several times to report the problems to Google but has not been able to reach the right authority because their contacts are not within the advertising business.
And they’re not alone in pointing out the problems. Two years ago, the FBI warned about this type of scam that’s being carried out through purchased ads, but nothing has happened since then. Security vendor Netskope recently reported that, according to its telemetry, phishing click rates tripled in 2024, with SEO poisoning and malvertising part of reason for the alarming rise, as cybercriminal move their operations outside the inbox.
For Strawberry, this has now led to changing the default search engine in Chrome to DuckDuckGo before Christmas, where the ad function has also been turned off as extra protection.
“It’s a bit ironic because we ourselves are dependent on Google ads, so it may seem like we’re shooting ourselves in the foot. But there has to be a balance where they make sure to validate the ads as well and don’t allow ads to be designed so that you enter a URL that isn’t the one you end up on. It’s incredibly strange,” says Belak.
He is also clear that it is not Google as a whole that Strawberry is unhappy with, instead pointing to how other parts of the company’s operations work hard on cybersecurity — such as monitoring cloud services, blocking third parties in the browser, and so on.
“They invest billions in cybersecurity in their other businesses but not when it comes to advertising and it becomes very strange for me as a customer,” he says.
Hope to create debate
Martin Belak doesn’t have high hopes that Strawberry’s decision to stop using Google’s search service will affect Google beyond creating some debate.
He emphasizes that this is also not a problem that can be solved with two-factor authentication and the like, because fraudsters today intercept the tokens that are generated in real-time, automatically. Moreover, Google isn’t the only company dealing with this issue, which other companies doing a better job establishing control, he says.
“Why can’t they verify their advertisers when Apple can review the apps that go into the App Store? We are a small player, but now we have put a finger in their eye and see what it leads to,” Belak says.
Karin Lindström
Redaktör
