Cybercriminals are using malicious Google Ads and web pages to lure unsuspecting users into downloading and executing an information stealing malware.
Cybersecurity experts at eSentire have shared details about this new campaign that places Google Ads to take users to a fraudulently replicated download page for secure chat applications, such as Signal.
Instead of the installer for the legitimate app, the download link on the fake page pushes AutoIT scripts, which then deploy the Redline Stealer, which is one of the most popular information stealing malware.
“They [threat actors] are spending money to purchase Google ads (although they could be using stolen credit cards to purchase the ad space), and they have spent time creating believable ads and almost exact replicas of the download pages for some of the most popular secure chat applications,” said Spence Hutchinson, Manager of Threat Intelligence for eSentire.
Drive-by-Download campaigns
The company also suggests that stolen information is either sold on the dark web or directly used in further intrusions and fraud campaigns.
During its breakdown of the campaign, eSentire notes that not only have these drive-by-download campaigns become the most popular threat vector, they are also increasingly poisoning Google’s search results.
In addition to the current campaign, eSentire also shares details about previous campaigns that lure users with fake Google ads for business productivity tools such as remote desktop software like AnyDesk, file hosting services like Dropbox, and the Telegram messenger.
“Corporate internal security teams and external security teams need to make sure employees are very aware of the different tactics threat actors are using to lure them to malicious web pages, malicious ads and malicious documents,” warns eSentire in its advisory against the new campaign.
