Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware.

In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search.

What makes the ad more convincing is that it shows ‘google.com’ and “https://www.google.com” as the click URL, which clearly should not be allowed when a third party creates the advertisement.

We have seen this very effective URL cloaking strategy in past malvertising campaigns, including for KeePass, Arc browser, YouTube, and Amazon. Still, Google continues to fail to detect when these imposter ads are created.

Malwarebytes noted that the advertiser’s identity is verified by Google, showing another weakness in the ad platform that threat actors abuse.

When the download is executed, it will launch the DeerStealer information-stealing malware, which steals credentials, cookies, and other information stored in your web browser.

Users looking to download software are recommended to avoid clicking on promoted results on Google Search, use an ad blocker, or bookmark the URLs of software projects they typically use.

Before downloading a file, ensure that the URL you’re on corresponds to the project’s official domain. Also, always scan downloaded files with an up-to-date AV tool before executing.

  • azron
    link
    fedilink
    English
    474 months ago

    Verified by Google == The transaction went through.

      • @mecfs
        link
        English
        184 months ago

        Urgh I hate apple. Can’t choose something else but these default options. And I have to use the safari browser because it is the only one that has the accomodations for my disability I need.

        (replying from my alt cuz image hosting is down on blahaj.zone)

    • im sorry i broke the code
      link
      fedilink
      English
      14 months ago

      Meh, the results have got very bad. They are mostly ads now and every damn article is provided not by its origin but msn

    • @[email protected]
      link
      fedilink
      English
      54 months ago

      Unfortunately true. Support sites you love through purchases, subscriptions, and donations. Ads are, at best, a vector of mental malware. At worst, a vector of actual malware.

      • @[email protected]
        link
        fedilink
        English
        24 months ago

        The issue is, that people always say this but then people don’t donate.

        People have server costs and living costs and ads are realistically the only way to contribute to those. I always swing €5 here and there to developers whos apps I use often but most people don’t: look at the Ko-fi page of small devs and they probably have less than €50 total, That’s a couple months of server costs probably.

  • @[email protected]
    link
    fedilink
    English
    12
    edit-2
    4 months ago

    had someone call the other day that nearly got scammed after clicking the top ‘result’ (it was an ad) on a google search for amazon.

    • @Broken_Monitor
      link
      English
      44 months ago

      I feel like if they’re dumb enough to google search for amazon instead of just typing amazon.com then this is far from the only scam they’re falling for.

    • TWeaK
      link
      fedilink
      English
      24 months ago

      FFS, that’s got to be by design. Like, Google recognises that you’re an easy target for scammers and directs you towards them.

      I bet if you did the same search logged into your own account, or even not logged in at all, you wouldn’t get the same result.

  • TWeaK
    link
    fedilink
    English
    74 months ago

    If Google make money from this, then why would they stop?

    Also, Lemmy and markdown in general requires you to put a > on the blank lines to make a continuous quote. Reddit has taught us all wrong.

    Like

    this

      • wanderingmagus
        link
        fedilink
        English
        44 months ago

        You need the > on every line you want to be in the quote format.

        > Quote line

        > <- Empty line that’s part of the quote

        > Continuation of the quote after the empty line

        ^This would appear as:

        Quote line

        Continuation of the quote after the empty line

  • @[email protected]
    link
    fedilink
    English
    4
    edit-2
    4 months ago

    See!!! I knew this shit was gonna happen. Check out my post from a while back - on chrome and edge, when you hover over the links, they resolve instead of showing you the top link.

    This means they can setup infra and evade scanning to redirect probes to legit sites like retailers, bank homepages, etc.