Researchers have found a new malware campaign active in the wild that abuses legit Google Ads advertisements to spread its infection. Users browsing without ad blockers are more vulnerable to malware attacks.
Malware Campaign Exploiting Legit Google Ads
According to a recent post from Guardio, their researchers have caught a new malware campaign exploiting Google Ads.
Identified as “MasquerAds,” this campaign aims to abuse the credibility of advertisements from reputable services to trick potential victims. For this, the attackers typically target advertisements from platforms like Grammarly, Slack, Zoom, Dashlane, Malwarebytes, etc. This diversity of the target business list also shows this campaign’s broader range of potential victims.
Briefly, the attackers behind this malware campaign tend to create fake websites of popular businesses and promote them during the search results. So, when a user searches for that website, the attackers’ phishing web page will likely appear first, luring the user into clicking on it.
Apparently, those promoted web pages appearing on SERPs are harmless, but they redirect the visitor to rogue websites later. That’s how the attackers try to stay under the radar without slowing down on this campaign.
The rogue websites host the payload hidden on legit file-sharing servers, such as GitHub, Dropbox, etc.
According to the researchers, most of the malware’s sites and domains link back to Russia while targeting victims from the US.
These campaigns have been active in the wild for quite some time, delivering various malware. For instance, the researchers found this technique spreading Raccoon stealer malware via Grammarly “masquerAds.” Likewise, another malicious campaign targeted GPU hardware by impersonating ads of graphics and gaming-related tools and software, such as the MSI Afterburner graphics card tool.
Beware Of This Potent Malware Campaign
Given the simplicity of this malicious campaign, the onus of preventing this malware attack comes down to the users only.
Essentially, users “googling” for various products must remain very careful when opening any website appearing in the search results. More specifically, users must avoid clicking on promoted site links since that’s where the attackers may hide. Likewise, avoiding websites with typosquatted domains can also help prevent threats.
Furthermore, users must secure their web browsers with robust ad blockers that could prevent unnecessary ads from appearing in the search results.