Google Ads malvertising campaign prompts questions around Search security
A leading security researcher has called into question why Google still allows malware links to top search results
Paid advertising links on Google Search are being used by cyber criminals to push malware, in a strategy that could threaten businesses looking to use free software.
Top listings on the search engine that purport to link to legitimate software websites were instead found to be decoys leading to websites containing malware such as infostealers.
The abuse of Google's ubiquitous search engine was brought to light after a cryptocurrency influencer mistakenly downloaded a malicious package after clicking on an advertising link for popular streaming software OBS.
After running the executable file provided on the website, the victim's accounts on Substack and Twitter were hacked, and their NFT wallet was stolen.
Security researcher Will Dormann detailed the issue in a Twitter thread, and openly questioned why Google-owned threat analyser VirusTotal cannot be used to automatically check sponsored links for malware.
The popular file and link-checking website was acquired by Google in 2012, and flagged the malvertising links used in the campaign as threats when manually fed into the system.
Despite this, Google had not prevented the links from being blacklisted on their Ads platform, seemingly accepting money from threat actors without checking the listed links for threats at all.
In other cases, Dormann noted that VirusTotal didn’t flag links as malicious even though inspection of the packages they pushed contained highly suspicious Powershell commands.
He alleged that the threat actor behind this package is still paying Google for fake listings on software such as VLC Media Player, Rufus, and uTorrent.
Some software developers appear to be aware of the issue, as those behind Notepad++ appear to have spent money to ensure their software appears in results first. OBS has issued an official warning and linked the only legitimate site from which its software may be obtained.
Malvertising, the method through which malicious software or links are hidden in seemingly safe advertising, is often used by hackers on untrustworthy websites behind suspicious banner ads.
“Protecting users is our top priority,” said a Google spokesperson in response to a request from IT Pro.
“We take dishonest business practices very seriously and consider them to be an egregious violation of our policies. Where we find ads that breach our policies we take immediate action.”
The company did not directly respond to questions regarding why it has not implemented automatic VirusTotal scans for links on their platform.
Malvertising: A deeper issue
The HP Wolf Security Threat Research Team published a report on malvertising campaigns that used fake listings for popular free software as an attack vector.
Programs such as Audacity, Teams, Discord, and the Adobe Creative Cloud suite of apps were used as bait by threat actors to distribute malware.
Threat hunting for MSPs
Are you ready to take your Managed Security Service to the next level?Free Download
Vidar Stealer, a malware strain used to steal data such as passwords and cryptocurrency wallets from victims, was one such program spread in the campaign, along with the Trojan IcedID which is used to steal financial credentials and compromise corporate networks.
Researchers noted that malicious packages downloaded through the campaign were large, with one example being 343MB. This is believed to be an antivirus evasion tactic, as larger files can circumvent automatic scans with some software.
“Many organisations use software distribution systems, which means that the software does not have to be downloaded by the end user but is provided by the system administrator,” said Patrick Schläpfer, malware analyst at HP Wolf Security.
“If you even block the download of such software for end users, you greatly limit this attack vector and are even more protected against such attacks.”
The use of Google Ads to deliver malware was also previously highlighted in July 2022 when Malwarebytes researchers warned of Google search results hiding malicious links. The sophisticated campaign used inline frames to push malicious domains onto users without revealing their URLs.
2023 Strategic roadmap for data security platform convergence
Capitalise on your data and share it securely using consolidated platformsFree Download
The 3D trends report
Presenting one of the most exciting frontiers in visual cultureFree Download
The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana
Cost savings and business benefitsFree Download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download