Researchers have spotted a new malware campaign where hackers exploit Google Ads to sponsor fake Google Authenticator sites. Users should be wary of any sponsored links appearing in search results, especially when searching for software download websites.

Fake Google Authenticator sites deliver malware.

I Fresh Post, Malwarebytes researchers shared details about a recent discovery related to Google Ads abuse. Specifically, they looked at fake Google Authenticators sites that Hackers pressured search engine results to trick users into using Google ads.

As explained, the ad that attracted attention showed the site “google.com” under the heading “Sponsored” in Google Authenticator’s search results. While the site name and URL looked legitimate, the meta description looked different, and the specific mention of “Official Website” at the beginning was enough to raise alarm bells.

An investigation of the ad revealed that an advertiser, “Larry Marr,” created the ad, which had no specific affiliation with Google. Additionally, clicking on the ad redirects the user through a number of intermediate links before reaching the final phishing web page.

Again, the phishing site’s domain “chromeweb-authenticators.com” and a similar web page layout were enough to alert an informed user to a phishing attempt. However, an average user or in a rush to download Google Authenticator may not notice these symptoms and download malware.

Regarding the malware, the researchers looked at the DeerStealer (Spyware.DeerStealer) distribution campaign.

Not the first expedition of deer.

A similar malicious campaign first caught the attention of sandbox developer AnyRun, which shared details about DeerStealer. Post. Despite the differences in execution, these two campaigns share the same malware, indicating a possible connection between the attackers.

Regarding the malware, AnyRun identified DeerStealer as a spin-off of Xfiles, another powerful stealer written in C. However, they also noticed some differences between the two. While Xfiles used the .NET platform, “DeerStealer is written in a language that compiles to machine code”. Similarly, Xfiles sends the stolen data to its C&C in a single POST request, while DeerStealer sends the HWID and waits for a server response before sending the stolen data.

This campaign is not the first example of this. Abuse of Google Ads. However, it reiterates the importance of keen interest when interacting with websites, including websites that appear on Google search results. Users should also equip their devices with an anti-malware solution to avoid potential threats.

Let us know your thoughts in the comments.



Source link