In a concerning development, threat actors have exploited Google’s ad platform to promote fake Google Authenticator ads, which are actually distributing the DeerStealer information-stealing malware. This tactic is part of a broader pattern known as "malvertising," where malicious ads are used to impersonate well-known software and trick users into downloading malware.
The Threat of Malvertising
Malvertising has been a persistent issue on Google's search platform for years, allowing cybercriminals to pose as legitimate software providers. They strategically place ads that appear trustworthy, often by using official-sounding domain names and URLs to lure users into a false sense of security. A recent campaign discovered by Malwarebytes shows that this threat is still very active, with attackers creating ads that mimic the Google Authenticator, a widely used two-factor authentication tool.
How the Fake Ads Work
One of the key tactics employed by these threat actors is URL cloaking, which makes their ads appear even more convincing. The ads display "google.com" and "https://www.google.com" as the click URL, which should be a clear warning sign since third-party advertisements should not be able to use Google’s official domains. This strategy has been previously used in campaigns against KeePass, Arc Browser, YouTube, and Amazon, highlighting a recurring issue that Google has yet to fully address.
Despite Google's efforts to verify advertisers, this loophole is still being exploited. Threat actors can create ads that pass Google's verification process by evading detection through tactics like creating thousands of accounts simultaneously and using text manipulation and cloaking techniques to deceive reviewers and automated systems.
Google's Response to the Threat
Upon being informed of this malvertising campaign by Malwarebytes, Google took immediate action by blocking the reported fake advertiser. However, when questioned about how these malicious ads continue to slip through the cracks, Google explained that the attackers are constantly evolving their tactics to avoid detection. They employ sophisticated methods to bypass security checks, making it challenging for Google's systems to catch every instance of malvertising.
In response, Google has increased the scale of its automated systems and human reviewers to better detect and remove these malicious campaigns. In 2023 alone, Google removed 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts in an effort to combat this growing threat.
Anatomy of a Fake Google Authenticator Site
When unsuspecting users click on these fake Google Authenticator ads, they are redirected through a series of websites that ultimately lead to a landing page at "chromeweb-authenticators.com." This site mimics a genuine Google portal, further deceiving users into thinking they are downloading legitimate software.
Malware analysis sandbox firm ANY.RUN has also observed this campaign, identifying additional fraudulent domains such as authenticcator-descktop[.]com, chromstore-authentificator[.]com, and authentificator-gogle[.]com. These sites use subtle misspellings and variations of authentic software names to trick users.
The Malware Delivery Mechanism
The deception doesn’t end with the fake website. Once users click the 'Download Authenticator' button, they are prompted to download a signed executable named "Authenticator.exe" hosted on GitHub. This file is associated with a repository titled 'authgg' by a user named 'authe-gogle,' all carefully designed to align with the campaign's theme.
The downloaded executable is often signed with a valid signature, such as 'Songyuan Meiying Electronic Products Co., Ltd.' or 'Reedcode Ltd.,' which provides the file with a veneer of legitimacy. This valid signature can potentially bypass Windows security checks, allowing the malware to run without triggering warnings.
Upon execution, the malware, known as DeerStealer, goes to work stealing sensitive information such as credentials, cookies, and other data stored in the user's web browser.
How to Protect Yourself
As this threat highlights, users must be vigilant when downloading software, especially from search engine ads. Here are some recommendations to protect yourself:
Avoid Clicking on Promoted Results: Be cautious of clicking on ads in search results. They may not always be safe, even if they appear legitimate.
Use an Ad Blocker: Consider using an ad blocker to reduce the risk of encountering malicious ads.
Bookmark Trusted URLs: Instead of searching for software each time, bookmark the official websites of the software you frequently use.
Verify URLs: Before downloading, double-check that the URL matches the official domain of the software provider.
Scan Downloads: Always scan downloaded files with an up-to-date antivirus tool before running them on your device.
To Sum Up
The rise of malvertising campaigns targeting popular software like Google Authenticator is a stark reminder of the evolving tactics used by cybercriminals. While companies like Google are working to enhance their detection systems, users must take proactive steps to protect themselves from falling victim to these scams. By following best practices and staying informed about the latest threats, you can safeguard your data and maintain your digital security.
