Google being impersonated on Google Ads by scammers peddling fake Authenticator


Hackers are abusing Google Ads to masquerade as Google, tricking users into downloading a Google Authenticator that’s actually malware on GitHub. And the ads appear to be verified by Google.

Brand impersonation on Google is getting worse, with threat actors now impersonating Google itself.

A new report by Malwarebytes Labs reveals that malicious ads on Google appear official and even verified by Google, despite tricking innocent victims into downloading malware or using private data to phishing sites.

ADVERTISEMENT

“If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer,” researchers warn.

How does this scam work?

When you search for something on Google, related (sponsored) ads appear at the top. Hackers have found a way to present malicious ads as if they were from official sources, and even advertisers’ identities are verified by Google.

In a provided example, the ad for Google Authenticator shows the official google.com website and a proper description. If users choose to check the advertiser, they will find “Larry Marr.” However, Google assures that the advertiser's identity is verified by Google.

google-ads-fake
Image by Malwarebytes Labs.

“The truth is Larry Marr has nothing to do with Google, and is likely a fake account,” Malwarebytes said.

When users click on the ad, they are redirected multiple times between intermediary domains controlled by the attacker. Ultimately, they land on a fake site for the Authenticator.

In this case, the fraudulent site chromeweb-authenticators[.]com was registered via hosting provider NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day as the ad was observed.

ADVERTISEMENT

The chain of events doesn’t end here. The fake websites offer users to download the Authenticator.exe which is hosted on GitHub, a widely used platform by developers to share their work.

The file was signed just one day before, but it's still a valid signature. Songyuan Meiying Electronic Products Co., Ltd., an unknown company, was listed as the signer, not Google.

Authenticator.exe, if installed, would compromise a user's computer with DeerStealer, a stealer malware that exfiltrates personal data. The source code of the landing page revealed comments in Russian.

Why would threat actors post malware on GitHub?

“Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate,” Malwarebytes Labs explains.

Anyone can create an account on GitHub and upload files. The threat actor exploited that by creating the username “authe-gogle,” and the malicious repository “authgg” that contained the Authenticator.exe file.

Previously, a similar infection chain was discovered AnyRun, an interactive cloud-based malware sandbox. However, the signatures and account names were different.

The real Google Authenticator is a well-known and trusted multi-factor authentication tool, recommended by many cybersecurity professionals.

“There is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly,” the report concluded.

ADVERTISEMENT

Google “verified” scammers that impersonate brands on Google Ads are now a widespread problem. Cybernews has already reported on similar Facebook fake ads that led to scams.