In the past few days, some scammers managed to impersonate Google on Google Ads and push malicious ads that steal data from your computer. According to Principal Threat Researcher at Malwarebytes Jerome Segura, “If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.”
How did this happen?
A popular form of malvertising that we’ve seen over and over again with time is malvertising through brand impersonation. Whereas scammers and exploiters use paid ad services to promote their malicious ads while impersonating famous brands and even going as far as using official website URLs in their ad snippets, like what happened with Amazon almost 1 year ago.
However, this time, The exploiters impersonated Google, and used one of their most used applications, The Google Authenticator, to get users to download the Malware and steal the data.
How did the exploiters pull that off?
The exploiter was revealed by Malwarebytes to be an account by the name of Larry Marr in the United States, and the exploiter seems to have nothing to do with Google whatsoever and is apparently a fake account, yet he still managed to get verified by Google, which is now a huge problem for Google as it means their verification no longer guarantees safety for the users.
Furthermore, if you check the network traffic log on your computer, you will be able to see that there are a whole bunch of different redirects, before leading you to the fake download website.
As you can see, the Ad redirects you into multiple different domains which are controlled by the exploiter, before leading you to the fake download page, after the download page, we can see a bunch of GitHub redirections, which is how the exploiter managed to sneak in the malware without getting detected, as hosting the file on GitHub means that the exploiter is using a trusted could source, which means that under normal circumstances, he could very well go unnoticed, which is what happened in this case. And even if GitHub is a safe source for repositories and such, that still doesn’t mean the repositories don’t contain harmful files, as anyone with a GitHub account can make uploads to the platform, which is exactly what our exploiter did in this case, by using a fake account by the name of Authe-gogle, which created a repository by the name of Authgg, which contains the download file Authenticator.exe, which is no longer available on the website as the account, and repository were removed.
Prevention measures:
Thankfully the Ad is now removed and no longer a threat, but we need to make sure the users know how to stay safe from any future exploits.
First of all, you gotta make sure you’re always using the official websites for downloads and not ads because, as we’ve seen, ads can and will impersonate official brands and corporations. Second of all, Always make sure you check the files you are downloading before giving them access to your device and try to use Anti Malware software.
And as always, stay tuned for more news, here at Techexposed
