Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Google Ads Used to Spread Malware

Bleeping Computer reported that a massive domain typo-squatting campaign was impersonating software companies. The threat actors behind the campaign used the domain names to set up web pages that looked like the product download pages of legitimate software companies but delivered malware instead. Over 200 domains were created to deliver several malware families to a vast number of victims across diverse industries and geographic regions with no specific targeting patterns apparent. Previously, no one was able to identify how the victims were finding the domains, but that has finally been answered.

Researchers have now discovered a massive amount of fraudulent Google ads that were being created to impersonate companies including Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave. The legitimate software download web pages are cloned and posted on typo-squatted domains, then the threat actors buy ad space on Google, to force the fake domain to appear first when one of the companies is searched for. This technique relies on the victim not noticing that these are “ads”, which are clearly marked next to the search result, or believing the ads are from a real company. Some of the malware delivered to victim systems this way include variants of Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID malware loader. Google has processes in place to prevent malware from being shared via ads, so to bypass this, threat actors are redirecting the victim twice, the first time through the Google ad to a non-malicious website, which has a second redirect that sends the victim to the website hosting the malware.

Analyst Notes

Companies with well-known brand names should continuously monitor domain name registrations to identify potential typo-squatting attacks impersonating their brand name. The Uniform Domain-Name Dispute Resolution Policy can be used by companies to reclaim brand-infringing domains. If the infringing domain is being used to deliver malware, most domain registrars will honor a request for an immediate take-down of the offending domain. Binary Defense Counterintelligence services include monitoring of typo-squatting domain names and review of impersonating websites.

The best way to avoid falling victim to these types of attacks is to not click on ads when searching on Google for software downloads. Even if an ad seems interesting, the real search result should appear near the top of the list after the ad and is more reliable. After clicking a search result, double-check the final landing page and the domain name to be sure it is the real company website, not a misspelled version of the company name.