Cybercriminals are finding new ways to poison search results. They’re filling Google with paid ads using so-called ‘malvertising’ campaigns, which lead unaware users to malicious sites that exploit their data and trust.
Hackers and fraudsters have found another trick up their sleeves. Now, they’re paying to put malicious sites at the top of search results in the form of ads, as disclosed by cybersecurity company Sophos.
This practice, known as “malvertising,” guarantees visibility and is often aimed at users looking for popular downloads, like software applications.
Previous campaigns targeted users by googling CCleaner, WinRAR, Notepad++, VLC, OBS, VirtualBox, Blender 3D, or Capcut.
Even googling Adobe, Gimp, Slack, Tor, or Thunderbird could spell trouble, as malicious ads could infect a computer with malware such as Aurora Stealer, RedLine, Vidar, FormBook, and other stealers or trojans.
There have been cases when searching for the screencasting and streaming app OBS brought as many as five malicious links at the top of the search results.
The most recent paid ads are often AI-related, disguised as tools such as Midjourney or ChatGPT.
Researchers are still trying to determine what’s behind the rise in malvertising. One cause could be a recent decision by Microsoft, which has blocked macros in untrusted documents by default. This move may have encouraged cyber crooks to go looking for other attack vectors.
Another possible explanation is that criminals may use malvertising-as-a-service from matured marketplaces. Increased availability of these services, together with lower prices, could be a driving factor for the explosion in fake advertising. Several sellers list compromised Google Ads accounts for sale, according to Sophos.
Malvertising allows attackers to keep the infection chain short, as only four steps are required:
Google Ads allows customers, including threat actors, to target specific users, particularly geographically, and personalize campaigns based on system language, area, searched keywords, etc.
One observed example was searching for the keyword TradingView in Europe. The fake ad led to a website that encouraged visitors to download the software. However, instead of the legitimate application, researchers got a ZIP file containing an MSI installer. This in turn contained an obfuscated PowerShell script designed to run in the background with genuine TradingView software.
Guess what the script did? It installed a banking trojan, using the password “putingod” for decryption.
Malvertising builds on SEO poisoning, a popular technique that cybercriminals use to get their malicious sites higher up in search results. SEO poisoning involves tricking search engines, as threat actors put specific keywords on the websites they control (either their own or ones they’ve compromised), hoping that they get pushed up to the top of search results.
More from Cybernews
Subscribe to our newsletter