Technology

59069 readers

3743 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

476

Google ads push fake Google Authenticator site installing malware | The ad displays "google.com" and "https://www.google.com" as the click URL, and the advertiser's identity is verified by Google (www.bleepingcomputer.com)

submitted 3 months ago by [email protected] to c/[email protected]

26 comments fedilink hide all child comments

Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware.

In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search.

What makes the ad more convincing is that it shows 'google.com' and "https://www.google.com" as the click URL, which clearly should not be allowed when a third party creates the advertisement.

We have seen this very effective URL cloaking strategy in past malvertising campaigns, including for KeePass, Arc browser, YouTube, and Amazon. Still, Google continues to fail to detect when these imposter ads are created.

Malwarebytes noted that the advertiser's identity is verified by Google, showing another weakness in the ad platform that threat actors abuse.

When the download is executed, it will launch the DeerStealer information-stealing malware, which steals credentials, cookies, and other information stored in your web browser.

Users looking to download software are recommended to avoid clicking on promoted results on Google Search, use an ad blocker, or bookmark the URLs of software projects they typically use.

Before downloading a file, ensure that the URL you're on corresponds to the project's official domain. Also, always scan downloaded files with an up-to-date AV tool before executing.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 15 points 3 months ago (2 children)

I'm confused, does this mean that an ad can show the URL "google.com" even though clicking on it will take you to a different URL? Why doesn't Google just make it so that the ad shows the actual URL that the ad links to?

[–] [email protected] 3 points 3 months ago

If I remember correctly the bad guys use similar characters that render the same (or close to) “standard” characters.

[–] [email protected] 18 points 3 months ago* (last edited 3 months ago) (1 children)

That's actually pretty simple to do. I don't know if this is how they did it, but one way is just creating an tag with the href to google.com. that'll show the destination if you hover over it. Then you just add an event listener to the click event, prevent the default event from executing, and manually redirect somewhere else.

Made a quick example: https://codepen.io/Ghoelian/pen/poXeOyo

[–] [email protected] 18 points 3 months ago (1 children)

Yes, but ads shouldn't have that level of control. They should provide an image or video and a link.

[–] [email protected] 4 points 3 months ago

Oh absolutely. I kinda feel like preventing the default action on a tag like that should just not be allowed, or browsers should not display the target link thing if it has an event listener attached or something.