Google AdWords is being hijacked by scammers

Seemingly benign campaigns are actually delivering malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Scammers are abusingGoogleAdwords, the search engine giant’s advertising platform, to spreadmalwareto people looking for legitimate and popular software.

Google’s safety measures are usually robust, but experts found that they managed to employ a workaround.

The campaign is simple - the crooks would clone popular software such as Grammarly,MSIAfterburner, Slack, or others, and infect them with an infostealer. In this case, the attackers were adding Raccoon Stealer, and IceID malware loader. Then, they would create a landing page where the victims would be sent to download the malicious programs. These pages were designed to look seemingly identical to the legitimate ones.

Tricking Google

Then, they would create an ad and place it on Google Adwords. That way, whenever someone searches for either these programs or other relevant keywords, they’d see the ads in various places (including the top positions on the Google search engine results page).

The trick is that Google’s algorithm is relatively good at spotting malicious landing pages hosting dangerous software. To bypass the security measures, the attackers would also create a benign landing page to which the ad would send the visitors.

That landing page would then immediately redirect the victims to the malicious one.

This huge typosquatting campaign is being used to run tech support scams>Domain parking used to spread Emotet and impersonate McAfee>Check out the best firewalls right now

Cyberattack campaigns that leverage legitimate software to distribute malware are nothing new, but researchers have mostly been in the dark when it comes to methods to actually get people to the landing pages. In late October, researchers discovered a major campaign with more than 200 fraudulent domains, but up until today, no one knew how the domains were advertised.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Now that the plot has been discovered, Google can be expected to swiftly terminate the campaign (if it hadn’t done that already).

Besides the abovementioned apps, the crooks were alsoimpersonatingthese programs: Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time