Malvertising campaigns impacting Google Ads are on the rise. While the technique of convincing internet users to download malware by clicking on seemingly legitimate adverts is not a new one, its popularity has spiked due to an increase in the sophistication of malware as well as the value of credentials they can be harvested. Security experts say caution should be exercised when clicking on adverts at the top of the search engine’s home page.
Google Ads are being targeted by a growing number of malvertising campaigns (Photo by PixieMe/Shutterstock)
Cybercriminals are currently spreading malware through numerous copycat advertisements on Google. On Monday Tech Monitor reported on how Rhadamanthys malware was being spread through fake adverts for OBS, a service used by streamers. Since then several other ongoing malvertisement campaigns have been spotted by security researchers, using spoofed adverts for products including AnyDesk, a tool used by IT teams to troubleshoot user issues remotely.
The consequences of successful attacks can be severe. A Twitter user going by the handle @NFTGod claims to have lost a “life altering” amount of money through an “instantly violating and final” attack, after clicking on a malicious phishing link while trying to download OBS.
Ongoing malvertising campaign reaches top of Google
The hackers appear to be using a combination of advertisement hijacking and SEO poisoning, where criminals tweak the search engine optimisation of their adverts to push them to the top of the Google search page.
When users click a false link, cybercriminals are able to inject their malware into the victim’s machine. With increasingly sophisticated software often now offered for sale as malware-as-a-service at a relatively low prices, low-skilled hackers can steal valuable credentials and sell them on dark web marketplaces.
“As far as malvertising goes, the methodology is not new or uncommon but the uptick in sophistication of payload is making it more popular,” says Brian Higgins, security specialist at Comparitech. “
Companies used in these malvertising campaign are usually those that provide free tools used by businesses. Big brands can also be targeted, with YouTube having been used in malvertising campaigns in the past. When dealing with sites like YouTube, hackers may add another layer of obfuscation, such as domain cloaking, in order to increase the possibility of luring in a victim.
Research from ad-tech company PubLift claims one in every 100 adverts online is smuggling malicious content. “Legitimate websites need to stay on top of the threats on both the supply and demand side in order to counter these potentially crippling malvertising attacks,” the report says.
Stolen credentials are increasing in value, making malvertising more appealing for criminals. A report by Accenture’s cyber threat intelligence team explains that one of the popular credentials marketplaces called Russian Market was selling victim data at an average of $10 per log. The total number of logs for sale in this market rose by nearly 40%, from approximately 3.3 million to 4.5 million, between July and October 2022.
Are Google Ads trustworthy?
The growing complexity of malware will continue to drive the trend, says Higgins. “The fact that some off-the-shelf code can harvest so much information from its victims is incredibly attractive to cybercriminals because they don’t have to do any of the heavy lifting,” he says. “Criminal opportunities like installing executable code and harvesting crypto credentials are going to see this trend continue to grow.”
But Google is likely to take action to stop cybercriminals hijacking the top of its search page for their malvertising campaigns, says Javaad Malik, lead security awareness advocate at KnowBe4. “The world of cyber is very much a cat and mouse game,” he says. “As one door closes, criminals will look to exploit another avenue. So it is likely that Google will move quickly to close this loophole that is being used to push malware-laced ads.”
Tech Monitor has approached Google for comment, the company has not responded at the time of writing.