this post was submitted on 01 Aug 2024
475 points (99.2% liked)

Technology

58135 readers
4493 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
475
Google ads push fake Google Authenticator site installing malware | The ad displays "google.com" and "https://www.google.com" as the click URL, and the advertiser's identity is verified by Google (www.bleepingcomputer.com)
submitted 1 month ago by ForgottenFlux@lemmy.world to c/technology@lemmy.world
27 comments fedilink hide all child comments
 

Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware.

In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search.

What makes the ad more convincing is that it shows 'google.com' and "https://www.google.com" as the click URL, which clearly should not be allowed when a third party creates the advertisement.

We have seen this very effective URL cloaking strategy in past malvertising campaigns, including for KeePass, Arc browser, YouTube, and Amazon. Still, Google continues to fail to detect when these imposter ads are created.

Malwarebytes noted that the advertiser's identity is verified by Google, showing another weakness in the ad platform that threat actors abuse.

When the download is executed, it will launch the DeerStealer information-stealing malware, which steals credentials, cookies, and other information stored in your web browser.

Users looking to download software are recommended to avoid clicking on promoted results on Google Search, use an ad blocker, or bookmark the URLs of software projects they typically use.

Before downloading a file, ensure that the URL you're on corresponds to the project's official domain. Also, always scan downloaded files with an up-to-date AV tool before executing.

you are viewing a single comment's thread
view the rest of the comments
[–] kevincox@lemmy.ml 141 points 1 month ago (3 children)

Allowing showing different domains than the actual click target is wildly reckless and should be punishable.

"Oh but our poor advertisers want to use click tracking and it is too hard to set up on their main domain". Oh boo hoo, I'm sure if it is important to them they will figure it out.

[–] trashgirlfriend@lemmy.world 51 points 1 month ago (1 children)

I worked for Google Ads support for a while and even this dumbed down system completely stumped so many fucking people.

God I hate advertising and advertisers so much.

These useless fucking cunts wanted every feature imaginable, setup for free, with no effort of research done from them.

That job made me hate taxi drivers so much.

[–] uninvitedguest@lemmy.ca 33 points 1 month ago (1 children)

What do taxi drivers have to do with it?

[–] Plopp@lemmy.world 9 points 1 month ago (1 children)

They are probably in cahoots with the lemon stealing whores.

[–] uninvitedguest@lemmy.ca 3 points 1 month ago (1 children)

What do lemons have to do with it?

[–] Plopp@lemmy.world 5 points 1 month ago

The lemon was stealing all the whores and used a taxi to get away with them.

[–] CosmicTurtle0@lemmy.dbzer0.com 18 points 1 month ago

Even then it should be easy to add an additional field in their ad profile. Like "provide a list of domains your ads will go to."

And then set up some sort of domain authentication similar to let's encrypt or SPF records.

[–] Wispy2891@lemmy.world 6 points 1 month ago* (last edited 1 month ago) (1 children)

Probably they exploited the Google search redirect to have show google.com

Like this http://www.google.com/search?q=example&btnI

And because Google is a startup with limited resources they didn't implement a check against that

[–] kevincox@lemmy.ml 8 points 1 month ago

Probably not. Google Ads explicitly allows mismatch between displayed domain and actual domain. This is literally a supported configuration with no tricks.

The link you sent gives me a "Redirect Notice" interstitial that mitigates this attack greatly.