Hackers abuse Google Ads to spread malware in legit software

I must say that I'm not getting to see these type of ads on Google, but I did in the past, so it depends on what filters you're using in uBlock Origin. I'm not sure if Ghostery and Adblock Plus will block these ads. But I can see many people falling for these scams and it's shocking that Google seems to be blind to this problem.

https://www.bleepingcomputer.com/ne...ogle-ads-to-spread-malware-in-legit-software/

 

This type of attack was also described over here, seems like the bitcoin mining malware is quite sophisticated since it makes use of code injection. What's also a bit scary is that the legitimate software does actually get installed.

I believe in this particular attack, the malware doesn't need to get downloaded in the background, but is installed right away together with the legitimate app. Too bad, because otherwise a third party firewall could have helped.

Would be fun to run this malware to see which behavior blocker could mitigate RedLine and XMR Miner. Assuming that they could first bypass the AV of course.

https://www.bleepingcomputer.com/ne...ets-windows-gamers-with-miners-info-stealers/

 

This is fun:
"In this case, the legitimate MSI Afterburner can be downloaded directly from MSI at www.msi.com/Landing/afterburner/graphics-cards."
In where somekind of national based hacker(s) hacks the system, replaced the exe with their own signed exe then the fun begins, especially when using the "basic" and stupid ms defender. I dont know why ms does not triple check signature of the file.

 

I'm pretty sure even the default filter lists should block these ads.

If I understand you correctly, you are mentioning a hypothetical situation, but this hasn't happened yet afaik. Only the impersonation MSI sites are pushing the malicious Afterburner installers.

This type of compromise just once again illustrates how invaluable ad blockers are as a component of one's security setup and equally important to always obtain downloads directly (not through ads, links or YouTube videos -LOL) from the official website.

 

I must say that it wasn't until a couple of months ago that I stopped seeing Google Ads. And I believe I was using the most popular filterlists in uBlock, so I'm not sure what changed.

No correct, he's probably talking about supply chain attacks, these are even more scary since you download software from the legitimate website. This has happened in the past with for example GOM Player and CCleaner to name a few.

But I must mention that often these boobytrapped files that are downloaded from fake websites are quite big, let's say 300MB, this makes it harder for AV's to detect the payload. So this should be a clue for users that something isn't right, but let's say face it, how many users know the difference between EXE and ZIP files and they probably don't even look at file size.

 

Yes understood, I remember the CCleaner attack. I was just saying that afaik it hasn't yet happened to the official MSI site, and this latter type of compromise is going to be far more rare than the impersonation website attacks. At the end of the day, anyone wanting a file download for whatever purpose, has to get it from somewhere, and the legitimate website is still the best best.

 

Yes, but that's why this is a serious problem, because many people don't have the skill to identify legitimate websites, especially if they see these malicious ads on Google that pop up as first search results. Also, about my earlier comment about filesize, I recently downloaded ACDSee Free which is a whopping 300MB, I find this rather odd. But many people will not notice this stuff.

 

Too bad. Hopefully they'll figure this out sooner rather than later

 

This is plain scary mate

As a whole I see Google as a necessary evil. Generally, I think they're relatively on the ball with overall security. But as a poster says in the linked thread, Google really just attempt to make as much dosh as they can. It seems they see this as a priority rather than what they publicly claim. I run both uBO and Ghostery on Chrome. So it's unlikely I'll see these adverts (I wouldn't click on adverts even if I did).

Must try harder Big G.

 

Yes, I've read that security researchers have repeatly tried to bring this stuff to Google's attention, but they just don't care. It's the same with the fake McAfee helpdesk, I believe they still have not taken those search results down. And years ago a hacker even built a fake website of a Dutch online bank named Knab, which was delivered via Google ads LOL.

https://www.wilderssecurity.com/thr...ves-search-results.422521/page-2#post-2893564
https://www.wilderssecurity.com/thr...ves-search-results.422521/page-2#post-2894940

 

I expected more from Google.

 

BTW, today I installed uBlock Origin on a friend's PC, and uBlock didn't block Google Ads with the standard filters. I wonder what's up with this? So I'm not sure which filter does eventually block it. Perhaps it's AdGuard Tracking and/or Adguard Annoyances.

 

That is odd.
Which browser? And uBlock Origin, or uBlock Origin Lite?
I use Firefox, and I usually use Startpage, but when I use Google search, I haven't seen Google ads in years, not with uBlock Origin and not with Adblock Plus, earlier. I don't use exotic filters lists, just the uBlock Origin default, plus the regional list (EasyDutch), plus Fanboy's Social, but even before I used that last one I didn't see Google ads. So I wonder what was wrong with the setup that you tried. Could it be the regional list that makes the difference?

 

Then this is odd indeed, because I saw this behavior of Google Ads NOT getting blocked by uBlock Origin with standard filters, on at least two Win 10 machines. And I doubt I'm the only one, but I do have to say this was on Vivaldi, but Vivaldi's adblocker was turned off though. I don't use EasyDutch, so that can't be it. Hopefully it's not some hidden conflict. I should try it with Adblock Plus and Ghostery too, to see what happens.

 

Are you sure you're not mistaking localized search results that show on the right hand side of the Google search page results as ads?

You can disable localized search results in Google search settings.

 

No, I'm talking about the Google Ads (purely text based) that are placed between search results. And you will clearly see that it's an ad. I assume this is how Google Search makes most of its money. At first I didn't mind them, but then they started to annoy me more and more and turns out they can actually be dangerous.

 

Maybe they have excluded "acceptable" ads? When money talks, defaults go side ways, whether it is adguard, ghostery or Brave.

 

I can't duplicate what you stated on Firefox. It might have something to do with the Vivaldi browser you are using.

Based on the below screen shot, uBO only works with the browsers listed:

 

I don't think uBlock Origin allows this stuff.

Perhaps it's indeed related to Vivaldi, but I would find this rather odd. You would think that extensions work exactly the same on all Chromium based browsers. However, there is a bug in uBlock Origin, and that is that when you disable JS, uBlock doesn't display this with the purple color on the blocked ads indicator. Apparently this is only a problem on Vivaldi.

 

And you already guessed it, but Google Ads is still being abused to spread malware and to steal passwords, this time they were phishing for Bitwarden credentials.

https://www.bleepingcomputer.com/ne...aults-targeted-in-google-ads-phishing-attack/

https://www.ghacks.net/2023/01/28/b...are-being-targeted-by-phishing-ads-on-google/

 

BTW, this one is even more shocking from a couple of months ago, since this Google Ad will actually show you the official gimp.org website, I don't understand how this is possible? So this couldn't be spotted by simply looking for some dodgy website name.

https://www.bleepingcomputer.com/ne...ved-info-stealing-malware-via-lookalike-site/

 

This problem is getting out of hand, shame on Google! Hopefully most adblockers will block these Google Ads, but many people might be tricked by this stuff, and I wouldn't be surprised if many AV's will also fail to detect some of this malware.

https://arstechnica.com/information...ice-before-using-google-to-download-software/

 

Apparently, Google still hasn't fixed this loophole, shame on them!

https://www.bleepingcomputer.com/ne...h-bumblebee-malware-used-by-ransomware-gangs/

 

Staffing shortages would be a easy grab for an excuse to that @Rasheed187

And just when we thought Multi mega high industry profits also paid for Quality Control.

 

LOL, and here we go again. Google hasn't fixed a thing. That's why it's best to block ads in Google Search.

https://www.bleepingcomputer.com/ne...ads-abuse-tracking-templates-to-push-malware/