Scammers are abusing Google Adwords, the search engine giant’s advertising platform, to spread malware to people looking for legitimate and popular software.
Google’s security measures are generally robust, but experts found they managed to employ a workaround.
The campaign is simple — crooks clone popular software like Grammarly, MSI Afterburner, Slack, or others and infect them with an information stealer. In this case, the attackers added the Raccoon Stealer and IceID malware loaders. They will then create a landing page where victims will be directed to download the malicious program. These pages are designed to look exactly like the legitimate ones.
trick google
They then create an ad and place it on Google Adwords. That way, whenever someone searches for these programs or other related keywords, they’ll see ads in various places, including at the top of Google’s search engine results pages.
The trick is that Google’s algorithm is relatively good at spotting malicious landing pages hosting dangerous software. To bypass security measures, attackers also create a benign login page to which an ad sends visitors.
This landing page then immediately redirects the victim to a malicious page.
Cyberattacks that use legitimate software to distribute malware are nothing new, but researchers are mostly in the dark about what actually gets people to a login page. In late October, researchers uncovered a large campaign of more than 200 fraudulent domains, but until today, no one knew how the domains were advertised.
Now that the conspiracy has been discovered, expect Google to quickly end the campaign (if it hasn’t already done so).
In addition to the aforementioned apps, crooks are also posing as (opens in a new tab) These programs: Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.
pass: beep computer (opens in a new tab)
