Cybercriminals use Google Ads to promote cloned software websites

Cyber ​​criminals have deployed a new malicious campaign that takes advantage of Google Ads to promote cloned software web pages, through which they implement different types of malware such as Raccoon Stealer and Vidar once they have downloaded them to their devices.

Programs such as Grammarly, Microsoft Visual Studio, Thunderbird, OBS, Teamviewer, Slack and Zoom have been involved in this campaign, which has been active throughout the month of December, as reported by the director of Guardio Labs, Nati Tal. , a company that has made a report together with Trend Micro. In this, the ‘modus operandi’ of these cyber-fraudsters is explained.

Specifically, fraudsters have displayed a series of advertisements –for which they have used Google Ads– from allegedly legitimate but counterfeit software download web pages.

SIGHT: Tips from the FBI so you don’t fall into the malware trap while browsing the web

In this sense, it should be remembered that Google Ads allows advertisers to promote their web pages in Google Search and places them at the top of the list of results. Hence, once these websites are cloned, users without a blocker will encounter these ads first.

If Google detects that a campaign’s target site is malicious, it blocks the campaign and removes the ads. For this reason, cybercriminals have developed a strategy to evade this security system.

As reported by Guardio Labs and Trend Micro, scammers have used a trick to take victims who click on the ad to a benign site created by them, and then to the malicious cloned website.

SIGHT: A new Trojan called ‘The Godfather’ has attacked more than 400 banking and cryptocurrency apps

Hence, they initially use websites with very similar names as bait. This is the case of the grammar and spelling application Grammarly, from which pages cloned as ‘grammartly’ or ‘gramnarly’ have been found.

Once the user has accessed these pages, cybercriminals attack in different ways. First, cybercriminals deliver the legitimate ‘software’ with the malware embedded, which runs in the background when a certain program is downloaded.

SIGHT: ZIP and RAR compressed files are the most used by cybercriminals to deliver malware

Another form of attack is by using ZIP folders with files bloated so that the total count is larger than the maximum allowed size of automated malware scanning systems. Likewise, they ensure that less than 1 percent of their code contains fragments of malicious code, so this ‘software’ goes unnoticed. On the other hand, cybercriminals choose to modify payloads periodically.

According to reports from these cybersecurity companies, one of the malicious agents intercepted is Vidar, a Trojan targeting the GPU of infected devices, which has mainly affected users in Canada and the United States. Specifically, it has reached them through searches of the AnyDesk and MSI Afterburner programs.

SIGHT: Concerned about your personal privacy? So you can know if an app is using your phone’s microphone and camera

From Guardio Labs and Trend Micro they recommend users not to abuse the trust that is given to Google and its search results promoted through Google Ads. Likewise, they insist on applying a more incisive level of protection even for the simplest action “what is it like to search for something on google”, as Nati Tal has transferred.

Source: Elcomercio

Callum

I have worked in the news industry for over 10 years. I have a vast amount of experience in writing and reporting. I have also worked as an author for a number of years, writing about technology and other topics.

I am a highly skilled and experienced journalist, with a keen eye for detail. I am also an excellent communicator, with superb writing skills. I am passionate about technology and its impact on our world. I am also very interested in current affairs and the latest news stories.

I am a hardworking and dedicated professional, who always strives to produce the best possible work. I am also a team player, who is always willing to help out others.