Phishing links and malware are a familiar threat to anyone who browses the internet. Still, sophisticated attacks can catch even the most security-minded users off guard. And nothing’s more sophisticated than impersonating Google on Google’s own platform.
Upon clicking the ad, victims were met with a convincing clone of the Google Authenticator website with the URL “www.chromeweb-authenticators.com.” Pressing the prominent “Download Authenticator” button on this website triggered a download for “Authenticator.exe,” an executable hosted on GitHub and signed by a developer. The source of this executable, plus the fact that it was signed, meant that there was no scrutiny from victims' web browsers or Windows Defender antivirus.
The executable was actually an info-stealer malware called DeerStealer.Malwarebytescaught wind of the malicious advertising campaign and promptly contacted Google, which removed the offending ad from its platform.
As for how this happened—well, it’s really quite simple. Google accidentally sold ad space to hackers. In a conversation withBleeping Computer, the company said that hackers bypassed human and automated quality control systems by “using text manipulation and cloaking to show … different websites than a regular visitor would see.”
In this case, victims were searching for a Google product on a Google website. They found an ad for the product and clicked it, because why wouldn’t they?
Thisisn’t the first timethat Google’s advertising platform has been utilized for malware distribution or phishing. In fact, fighting malware has been adecades-long strugglefor Google, and it will inevitably continue to be a struggle in the future. (This is despite the fact that, historically speaking, Google is the most proactive in removing malware from its ad platform and search engine.)
