Fraudsters are using Google Adwords, the search engine giant’s advertising platform, to spread malware among people looking for legitimate and popular software.
Google’s security measures are usually robust, but experts have discovered that they have managed to use a workaround.
The campaign is simple – scammers clone popular software such as Grammarly, MSI Afterburner, Slack or others and infect it with an information stealing tool. In this case, the attackers added the Raccoon Stealer and the IceID malware loader. They then created a landing page where victims were sent to download malicious programs. These sites are designed to look identical to the legitimate ones.
They then created an ad and placed it on Google Adwords. This way, when someone searches for these programs or other relevant keywords, they’ll see your ads in various places (including the top positions on the Google search results page).
The trick is that Google’s algorithm is relatively good at detecting malicious landing pages containing dangerous software. To bypass the security measures, the attackers also created a harmless landing page to which the ad sent visitors.
This landing page would immediately redirect victims to a malicious website.
Cyberattack campaigns that use legitimate software to spread malware are nothing new, but researchers mostly didn’t know what methods actually redirect people to landing pages. In late October, researchers uncovered a large campaign involving over 200 fake domains, but until today no one knew how they were advertised.
Now that the conspiracy has been uncovered, you can expect Google to end the campaign quickly (if it hasn’t already).
In addition to the apps mentioned above, scammers also impersonated (opens in a new tab) these programs: Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird and Brave.
Through: Beeping Computer (opens in a new tab)