Phishing links and malware are a familiar threat to anyone who browses the internet. Still, sophisticated attacks can catch even the most security-minded users off guard. And nothing’s more sophisticated than impersonating Google on Google’s own platform.
In a recent malicious advertising campaign, hackers purchased “Sponsored” Google Search ad space to advertise a false Google Authenticator download link. Anyone who searched for “Google Authenticator” could come across this advertisement, which looked perfectly legit and appeared to utilize the URL “www.google.com.”
Upon clicking the ad, victims were met with a convincing clone of the Google Authenticator website with the URL “www.chromeweb-authenticators.com.” Pressing the prominent “Download Authenticator” button on this website triggered a download for “Authenticator.exe,” an executable hosted on GitHub and signed by a developer. The source of this executable, plus the fact that it was signed, meant that there was no scrutiny from victims’ web browsers or Windows Defender antivirus.
The executable was actually an info-stealer malware called DeerStealer. Malwarebytes caught wind of the malicious advertising campaign and promptly contacted Google, which removed the offending ad from its platform.
As for how this happened—well, it’s really quite simple. Google accidentally sold ad space to hackers. In a conversation with Bleeping Computer, the company said that hackers bypassed human and automated quality control systems by “using text manipulation and cloaking to show … different websites than a regular visitor would see.”
Most people know better than to click random ads. The problem, of course, is that Google’s “Sponsored” search results aren’t traditional advertisements. They’re designed to be relevant to whatever topic you’re searching, and they’re often utilized by legitimate companies that want to be featured more prominently in Google Search. Even if you realize that a search result is “Sponsored,” it may be exactly what you were trying to find.
In this case, victims were searching for a Google product on a Google website. They found an ad for the product and clicked it, because why wouldn’t they?
This isn’t the first time that Google’s advertising platform has been utilized for malware distribution or phishing. In fact, fighting malware has been a decades-long struggle for Google, and it will inevitably continue to be a struggle in the future. (This is despite the fact that, historically speaking, Google is the most proactive in removing malware from its ad platform and search engine.)
We suggest that you avoid clicking “Sponsored” results in Google Search. This may be easier said than done, as it’s difficult to distinguish these ads from normal search results.
Source: Malwarebytes via Bleeping Computer
