Google Continue the fight against cybercriminals running malicious ads on their search platforms to trick people into downloading booby-trapped copies of popular free software applications. These malicious ads appear above organic search results and often precede links to legitimate sources for the same software, which can make searching for software on Google a dangerous business.
Google says user safety is its top priority and the company has a team of thousands of people working around the clock to develop and enforce its abuse policies. Most agree that the threat of bad advertising leading to backdoor software has weakened significantly compared to a year ago.
But online scammers continue to come up with ingenious ways to evade Google’s anti-abuse radar, and new examples of bad ads leading to malware remain common.
For example, earlier this week, Google searched for free graphic design programs Free CAD The following results are produced, showing that the “sponsored” ad at the top of the search results is promoting software provided by freecad-us[.]organize. Although the site claims to be the official FreeCAD site, that honor belongs to the result right below – the legitimate freecad.org.
How do we know about freecad-us[.]Is org malicious?Commented on domaintools.com Shows that the domain name is the newest of more than 200 domains at this Internet address (registered on January 19, 2024) 93.190.143[.]Chapter 252 Very similar to popular software names, including dashlane project[.]com, Filezilla software[.]com, goalkeeper manager[.]comand Freelance work project[.]com.
Some of the domains on the Dutch host appear to be nothing more than software review sites that steal content from established sources in the IT world, including Gartner Corporation, computer world, slash and Technology Radar.
Other domains are 93.190.143[.]252 does offer actual software downloads, but if people access these sites through direct navigation, then none of the software is likely to be malicious.if someone comes to visit openai project[.]organize and download a copy of the popular Windows desktop management application rain gaugeFor example, the downloaded file has the exact same file signature as the real Rainmeter installer available on rainmeter.com.
But it’s just a ruse, say Tom Hagelchief threat researcher at security firm Sentinel One. Hegel, who has been tracking these malicious domains for more than a year, said that seemingly benign software download sites regularly turn sinister, replacing legitimate copies of popular software with backdoor versions that allow cybercriminals to remotely command the system. .
“They use automated techniques to extract fake content and rotate hosting of malware,” Hegel said, noting that malicious downloads may only be available to visitors from a specific geographic location, such as the United States. . “In the malvertising campaigns we’ve seen associated with this group, they’ve waited until the domain gained legitimacy on search engines, flipped the page for a day or so, and then flipped it back again.”
In February 2023, Hagel co-authored a report on the same network that Sentinel-1 called malware (The “malvertising” game).They concluded that the proliferation of malvertising that spoofs various software products has directly led to the proliferation of malware infections such as information-stealing Trojans. Frozen ID, red line thief, sheet and Aurora Stealer.
Hegel noted that there was a spike in malware-themed ads shortly after Microsoft began blocking Office macros from files downloaded from the Internet by default. He said the current volume of malvertising activity in this group appears to be relatively low compared to a year ago.
“It seems like the same movement continues,” Hegel said. “Last January, every Google search for ‘Autocad’ resulted in some bad results. Now, it’s like they’re paying Google to get one out of every dozen searches. I guess because of the ups and downs, it’s still continue [of the] The domain hosting the malware appears to be legitimate. “
The Netherlands hosts several websites (93.190.143[.]252) is currently blocked by Google’s Safebrowsing technology and is marked with a clear red warning, indicating that the site will attempt to impose malware on visitors who ignore the warning and continue visiting.
But why Google didn’t similarly block more than 240 other domains on the same host, or remove them from its search index entirely, remains a mystery. Especially considering there is nothing else but these domains hosted at that Dutch IP address, and since they have remained at that address for the past year.
In response to questions from KrebsOnSecurity, Google stated that maintaining a secure advertising ecosystem and preventing malware from entering its platform is a top priority across Google.
“Bad actors often use sophisticated measures to hide their identities and evade our policies and enforcement, sometimes showing one thing to Google and another to users,” Google said in a written statement. We have reviewed the ad in question, removed the ad that violated our policies, and suspended the account in question. We will continue to monitor and apply our protective measures.”
Google said it will remove 5.2 billion ads, restrict more than 4.3 billion ads, and suspend more than 6.7 million advertiser accounts in 2022. The company’s latest ad safety report said that Google blocked or removed 1.36 billion ads in 2022 for violating its abuse policies.
Some of the domains cited in the report were already included in Sentinel One’s February 2023 report, but dozens more have been added since then, such as those spoofing official download sites Corel drawing, GitHub Desktop, robot form and Team Viewer.
This October 2023 report on the FreeCAD User Forum comes from a user who reported downloading a copy of the software from freecadsoft[.]I visited .com after seeing the site promoted at the top of Google search results for “freecad.” About a month later, another FreeCAD user reported falling victim to the same scam.
“This fascinates me,” FreeCAD forum user “Matterform” wrote on November 19, 2023. “Please leave a report with Google so it can flag it. They pay Google for sponsored posts.”
Sentinel One’s report does not delve into the “who” behind this ongoing MalVirt campaign, and there are few clues as to its attribution.All of the domains in question were registered via webnic.cc, several of which display a placeholder page indicating that the site has content ready. Looking at the HTML source code of these placeholder pages reveals that many of the hidden comments in the code are in Cyrillic.
Attempts to track down scammers using Google’s ad transparency tools didn’t make much headway.Ad transparency records for freecad-us themed malvertising[.]org (pictured above) shows that the ad account used to pay for advertising has only run one ad through Google Search before: it advertised a wedding photography website in New Zealand.
The apparent owner of the photography site did not respond to a request for comment, but it’s also possible that his Google Ads account was hacked and used to run these malicious ads.
