Security: How hackers use Google Ads to deliver malware
On the one hand, there is malware, i.e. software intentionally designed to cause disruptions to a computer, server, client or computer network, disclose private information and so on and so forth. On the other hand, there is
Google Ads
, the tool, made available by
Google
, to plan advertising campaigns on the network of Google’s partner sites or for campaigns on the search network. In the middle there are them, the hackers, who with their computer skills are able to break into and violate computer networks illegally, without any authorization.
‘ team of experts sheds light on how users are exposed to these websites, which are promoted to a wide audience by leveraging Google Ads advertising campaigns. These are fake sites shown among
Google’s
advertisements. Among the main products used for the campaign are:
Grammarly
,
MSI Afterburner
,
Slack
,
Dashlane
,
Malwarebytes
,
Audacity
,
μTorrent
,
OBS
,
Ring
,
AnyDesk
,
Libre Office
,
Teamviewer
,
Thunderbird
, and
Brave
.
But how do these cybercriminals scam such a large number of users? The promoted sites are placed at the top of the results page, so users are led to think that everything is normal and that these sites are legitimate. When Google detects an infected site, the ads are immediately removed, but in this case, the cybercriminals were able to find a way to get past the checks. The trick is to go and create harmless sites that are highlighted when the user uses certain keywords. Legitimate software can be downloaded from this fake website, but the MSI installer or ZIP archive contains malware as well. Among the most used are Raccoon and Vidar, which act by stealing numerous data from the computer and belong precisely to the category of info-stealers.
Recapping. The stratagem therefore consists in bringing the user who clicks on the advertisement to a harmless site created ad hoc, which Guardio calls “masequerAd”, and then directing them back to a malicious site that impersonates the legitimate resource sought by the user.
“When these masquerAd sites are visited through the ad on the search engine – explain the experts of Guardio – The server redirects visitors to the rogue site and from there to the malicious payload. These rogue sites are virtually invisible to visitors who don’t reach them via the promotional stream that exploits the masquerAd site by showing it as legitimate to crawlers, bots, casual visitors, and Google’s countermeasures.”.
In short, a real unwelcome “gift”. Precisely for this reason, Guardio’s experts are keen to emphasize that “security is a matter of trust, which is why it is important to turn to reliable and trusted suppliers for your daily activities on the web. This concept of masquerAD abuses the trust that we sometimes blindly grant to Google and its search results.”
