Google has faced a serious security problem with its advertising platform. Attackers are creating fake Google Authenticator ads that actually distribute DeerStealer malware that can steal users’ confidential information.
This malicious ad campaign, detected by Malwarebytes, is particularly dangerous because it exploits users’ trust in the Google brand. The attackers create ads that appear when users search for Google Authenticator and include the official google.com domain as the URL to go to.
To create convincing ads, hackers use URL masking techniques and create thousands of accounts simultaneously. Attackers use text manipulation and masking techniques to show different websites to verification systems and ordinary users.
In response to a request BleepingComputer Google said it has already blocked the fake advertiser reported by Malwarebytes. Google also notes that it is strengthening the work of automated systems and increasing the number of human reviewers to identify and remove such malicious campaigns.
When users click on fake ads, they are taken to websites that mimic the official Google portal. These domains include chromeweb-authenticators.com, authenticcator-descktop.com, and others. These sites offer to download the alleged Google Authenticator, but in fact, the user receives malware.
The downloaded file is digitally signed, which gives it additional credibility and helps to bypass Windows security systems. When it runs, it activates DeerStealer — a malicious program that steals passwords, cookies, and other confidential information from users’ web browsers.
Cybersecurity experts advise users to be careful when downloading programs. They should avoid clicking on advertising links on Google, use ad blockers, and check website URLs before downloading files. It is also recommended to scan all downloaded files with an antivirus before opening them.
Source: Bleepingcomputer