Fake Google Ads Used to Spread Malware 

When a company uses the Google Ads platform, they are paying to show up first in the list when a Google Search is performed in order to promote their web page. Google Ads often appear before any actual search results including the official website being searched for, which can cause users to click onto these ads before scrolling further down to see the true search results because they look so similar.  

For legitimate users, this makes Google Ads a good source of advertising in order to increase the number of visitors to your website. However, cyber criminals are now abusing this system to create copies of legitimate websites that when visited install malware onto your computer. There are a few ways in which these criminals try to trick their victims into clicking on their malicious site instead of the genuine search result, the first of which is known as typosquatting. This is where the cyber criminals choose a website domain name that is very similar to the legitimate website they are impersonating, except for one or two letters, such as using common typos of the legitimate domain name. This can make it harder to spot a fake website from the real one without inspecting the links carefully. 

Normally Google would be able to identify a malicious website that is using their Google Ads platform which results in the ad campaign being blocked and the ads being removed. Unfortunately, cyber criminals have found a way around this, by having the Google Ads direct users to a benign site first when the ad is clicked. As soon as this decoy site is loaded, the user is redirected automatically to the malicious site, where malware is then installed onto the device. When Google check the ads for any suspicious activity, they are taken to the decoy site which is safe, and the ad campaign is not removed by moderators. 

This malicious ad campaign has been identified across many large companies that potential victims are searching for and accessing every day. Grammarly, MSI Afterburner, Slack, Dashlane, Audacity, Ring, Visual Studio, Zoom, AnyDesk, Adobe, Discord, and Fortinet are just some of the impersonated websites identified by cybersecurity researchers at Guardio Labs and Trend Micro. Users were tricked into downloading malware from these malicious sites in a bundle with the legitimate software they had gone searching for in the first place. This means that even after falling victim to this cyber crime, because the legitimate software was also present, the installed malware could go unnoticed until it was too late.  

The cyber criminals used reputable file-sharing services such as GitHub and Dropbox to deliver these downloads, which would not be likely to raise a red flag with the antivirus software running on the victim’s computer. This combined with the fact the victim had triggered the download on purpose to receive legitimate software, which they do actually end up installing, means the malware would be successfully installed into the computer. If you regularly install software in this way then you may be able to spot an unusual file size when on a malicious site, because it is a bundle of the true software and the dangerous malware. However, this is not always easily identified and not everyone is familiar with what file size to expect for different programmes.  

One way you can check the legitimacy of a download is to use a website directory or the company’s Wikipedia page to find the true web link to be sure you are accessing the correct website. Checking the web domain on the Google Ads links carefully for common misspellings or swapped characters can reveal if typosquatting is being used and help you navigate to the correct site instead. If you visit a particular site regularly to download software or updates to an application you use often, then you could bookmark this legitimate web page in order to avoid the risk of accessing a malicious one in the future. 

As is often the case with cyber security, the best defence against attack is a well-educated team, that know how to avoid malicious websites and where to safely access software. Especially as these cyber criminals have found a way to bypass antivirus software checks into allowing these sorts of malicious downloads by using trusted file sharing platforms. Fake Google Ads is just one of the ways your team can be tricked into putting your business at risk. Cyber Coach provides Security Awareness Training and managed Cyber Security services for our clients, turning your team from a security risk into a security asset. Learn more with a free consultation with one of our experts today. 

For further help in managing cyber defences, consider Cool Waters Managed Cyber Team. The Managed Cyber Team provides a dedicated team of experts for less than the price of one full time employee to proactively manage your cyber security on a day-to-day basis. We look after your cyber security so you can look after your business. For a free review of your cyber defences, click here to arrange a call with one of our consultants:  https://www.cool-waters.co.uk/lets-talk