Google Ads Abused – Spreading Malware in a Semi-Legit Way
Whenever we search for something on Google’s engine, we always end up encountering some sort of ads that top the search results. These options can ease the user’s task, but sometimes, they can have an alternative goal, as is the case recently with threat actors utilizing the Google Ads platform to spread malware.
Google Ads increases the legitimacy of a product. Not only that, but it places it at the top of the users’ search results, which can guarantee instant clicks.
Unfortunately, cybercriminals are well aware of that, and they’re taking advantage of this service to lure users searching for popular software products. The illusion is there, but so is the malware. What’s this campaign all about? Here’s what you need to know.
Google Ads Fraud – Fake Posts, Real Threat
In the world of cybersecurity, there are countless forms of malware families that have specific capabilities. Although they differ in practices, they all lead to the same kind of results – data theft, ransomware, and money theft.
There have been multiple incidents where cybercriminals impersonate Google, especially when it comes to its Android Play Store. In fact, 2022 has not been a good year for Android users in the department.
Now, Google is being used once again, but in a different, more dangerous way. Google Advertisement adds solid legitimacy to whatever product shows on top of the list.
Even real websites can show up twice on your page – ads and normal. This time around, cybercriminals are utilizing well-known names to spread one of the most dangerous malware families out there – Raccoon Stealer. These trojanized versions include:
- Grammarly
- MSI Afterburner
- Slack
- Dashlane
- Malwarebytes
- Audacity
- μTorrent
- OBS
- Ring
- AnyDesk
- Libre Office
- Teamviewer
- Thunderbird
- Brave
As mentioned, the campaign begins based on the users’ search entry. Once they hit the Enter button, they’ll see an Ad at the top of their list.
Clicking on this ad redirects them to clone official websites of the above projects that inject the devices with the trojanized versions of the software when users hit “Download.”
According to Guardio Labs:
“Those rogue sites are practically invisible to visitors not reaching from the real promotional flow (e.g. arriving with a valid
gclid
value) showing up as benign, unrelated sites to crawlers, bots, occasional visitors, and of course for Google’s policy enforcers.”
There are several malware families involved. For example, if the website the victims visited is Grammarly, this trojanized version will deliver the Raccoon Stealer.
Such campaigns can be really dangerous, especially since they’re hard to distinguish. We highly advise readers to skim through the website before downloading anything. One single spelling mistake can save you a lot of trouble.
A New Level of Malvertising
Malware delivered through Google Ads carries all the signs of legitimacy. It’s so hard to tell it apart from the real product, so high success rates are guaranteed.
All you can do is be vigilant when you visit such websites. In fact, if you’re searching for a popular product, the actual page will show up in the search results.
You don’t have to click on the “Ad” one. Just visit the actual website. That way, you’ll at least know it’s exactly what you’re looking for, and no malicious entity is out to get you.