Cybersecurity

FBI warns of search engine ads pushing malware, phishing

FBI

The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.

In today’s public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search result pages and link to sites that look identical to the impersonated company’s website.

“When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result,” warns the FBI.

“These advertisements link to a webpage that looks identical to the impersonated business’s official webpage.”

When searching for software, the FBI says advertisements will link to websites with a download link to software named after the impersonated application.

The FBI advisory also warns about ads promoting phishing sites that imitate finance platforms and, more specifically, cryptocurrency exchange platforms that invite visitors to enter their account credentials.

Once credentials are entered on these phishing sites, they are stolen by threat actors who use them to steal funds or sell them to other threat actors.

BleepingComputer recently helped reveal a massive typosquatting campaign using over 200 websites impersonating software projects, cryptocurrency exchanges, and wallet platforms to push Windows and Android malware.

Earlier in the year, a site impersonating the GIMP image editor used malvertising to drop the Vidar info stealer on its unsuspecting visitors.

While these advertisements looked like they were promoting the actual gimp.org website, as shown below, they redirected users to a different site pushing malware.

Example of how tricky malicious ads can beExample of how tricky malicious ads can be (Morphisec)

In another case from March 2022, operators of the Mars stealer abused Google Ads to promote a malicious Open Office lookalike site to distribute their malware.

More recently, the SANS ISC disclosed an AnyDesk malvertising campaign on Google Search that dropped IcedID malware instead of the popular remote desktop app.

How to protect yourself

The most crucial precaution when looking for something online is not to click on the first thing that appears on the search results without checking its URL.

As the first few results on a given search term are usually promoted ads, it is safer to skip them and scroll down until you see the project’s official website search result and use that instead.

“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” warns the FBI.

Furthermore, even checking the link may only sometimes help, as threat actors can create advertisements to display a legitimate URL but redirect users to cloned sites under the attacker’s control.

Another recommendation is to use ad-blockers, which filter out promoted results on Google Search.

If you visit a website frequently, it would be better to bookmark its URL and use that to access it instead of searching for it every time.

Comments

  • xafase Photo xafase – 3 days ago
    •  
    •  

    Old news that search engine continue to do nothing about since they profit from them.

  • vladal23 Photo vladal23 – 2 days ago
    •  
    •  

    Where to find a list of typo-squatting domains?

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.19 4M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 1.4.1.1017 21,864 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 1.8.2.320 52,213 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 304,142 Downloads

Source bleepingcomputer.com

Related posts

Fortinet zero-day attacks linked to suspected Chinese hackers

Sarah Henriquez

Illegal Solaris darknet market hijacked by competitor Kraken

Sarah Henriquez

Auth0 warns that some source code repos may have been stolen

Sarah Henriquez

Leave a Comment