Researchers have tracked down the origins of several increasingly prevalent information stealers that threat actors are delivering via pay-per-click (PPC) ads in Google’s search results.
Over the past month, researchers have found that paid ads that appear on the first page of search results have led to downloads of malicious AnyDesk, Dropbox and Telegram packages wrapped as ISO images. Just a week ago, rigged AnyDesk ads were found to be serving up a trojanised version of the programme.
This time around, the Google PPC ads targeted specific IP ranges – hinting that this is a targeted attack with victims that have been scouted out before being hit. Non-targeted IPs are redirected to legitimate pages that download the correct applications.
Google says it uses proprietary technology and malware detection tools to ‘regularly scan all creatives’, as well as forbidding ads when they try to call fourth parties or sub-syndication to uncertified advertisers. The tech giant also state that it pulls ads distributing malware, and that authorised buyers whose ads are found to contain malware are placed on a minimum three-month suspension.
Despite all of this, scam adverts consistently evade Google’s security checks and consistently pop up at the top of search results. Many of these attacks have succeeded because cyber criminals spend real money on Google AdWords, having figured out how to evade Google’s malvertising screening, with many setting up websites with signed, legitimate certificate – for around two weeks – which are designed to mislead website visitors.
Researchers describe the attacks starting with one of a dozen paid Google ads that lead to a website with an ISO image download – one that’s large enough to slip under the radar. It is fairly simple to take a legitimate program and pack it with malicious payloads, pay an ad hosting provider and post the content, which makes these types of attack particularly easy to carry out.
Neuways advises users to be wary of clicking on the first set of results, Google Ads, that you see, to avoid becoming the next victim of these types of scams.