Google Ads malvertising campaign prompts questions around Search security

Paid advertising links on Google Search are being used by cyber criminals to push malware, in a strategy that could threaten businesses looking to use free software.

Top listings on the search engine that purport to link to legitimate software websites were instead found to be decoys leading to websites containing malware such as infostealers.

Hackers hiding malicious links in top Google search results, researchers warn Google at 20: How a search engine changed the business world Google agrees record $391.5m settlement in US digital tracking case

The abuse of Google's ubiquitous search engine was brought to light after a cryptocurrency influencer mistakenly downloaded a malicious package after clicking on an advertising link for popular streaming software OBS.

After running the executable file provided on the website, the victim's accounts on Substack and Twitter were hacked, and their NFT wallet was stolen.

Latest Videos From

Watch full video here:

Security researcher Will Dormann detailed the issue in a Twitter thread, and openly questioned why Google-owned threat analyser VirusTotal cannot be used to automatically check sponsored links for malware.

The popular file and link-checking website was acquired by Google in 2012, and flagged the malvertising links used in the campaign as threats when manually fed into the system.

Despite this, Google had not prevented the links from being blacklisted on their Ads platform, seemingly accepting money from threat actors without checking the listed links for threats at all.

In other cases, Dormann noted that VirusTotal didn’t flag links as malicious even though inspection of the packages they pushed contained highly suspicious Powershell commands.

He alleged that the threat actor behind this package is still paying Google for fake listings on software such as VLC Media Player, Rufus, and uTorrent.

Small and medium businesses could be at particular risk from this campaign, as these firms typically rely on free media and productivity software, the likes of which are being mimicked.

Some software developers appear to be aware of the issue, as those behind Notepad++ appear to have spent money to ensure their software appears in results first. OBS has issued an official warning and linked the only legitimate site from which its software may be obtained.

— cantworkitout on

Malvertising, the method through which malicious software or links are hidden in seemingly safe advertising, is often used by hackers on untrustworthy websites behind suspicious banner ads.

“Protecting users is our top priority,” said a Google spokesperson in response to a request from IT Pro.

“We take dishonest business practices very seriously and consider them to be an egregious violation of our policies. Where we find ads that breach our policies we take immediate action.”

Google's ad policy prohibits the posting of links that hide malware, and in January 2021 the firm began to ask advertisers registered in certain countries to verify their identity.

The company did not directly respond to questions regarding why it has not implemented automatic VirusTotal scans for links on their platform.

Malvertising: A deeper issue

The HP Wolf Security Threat Research Team published a report on malvertising campaigns that used fake listings for popular free software as an attack vector.

Programs such as Audacity, Teams, Discord, and the Adobe Creative Cloud suite of apps were used as bait by threat actors to distribute malware.

RELATED RESOURCE

Threat hunting for MSPs

Are you ready to take your Managed Security Service to the next level?

FREE DOWNLOAD

Vidar Stealer, a malware strain used to steal data such as passwords and cryptocurrency wallets from victims, was one such program spread in the campaign, along with the Trojan IcedID which is used to steal financial credentials and compromise corporate networks.

Researchers noted that malicious packages downloaded through the campaign were large, with one example being 343MB. This is believed to be an antivirus evasion tactic, as larger files can circumvent automatic scans with some software.

“Many organisations use software distribution systems, which means that the software does not have to be downloaded by the end user but is provided by the system administrator,” said Patrick Schläpfer, malware analyst at HP Wolf Security.

“If you even block the download of such software for end users, you greatly limit this attack vector and are even more protected against such attacks.”

The use of Google Ads to deliver malware was also previously highlighted in July 2022 when Malwarebytes researchers warned of Google search results hiding malicious links. The sophisticated campaign used inline frames to push malicious domains onto users without revealing their URLs.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.