Fake Google Authenticator Sites Exploit Google Ads To Deliver Malware

Researchers have spotted a new malware campaign where the hackers exploit Google Ads to sponsor fake Google Authenticator sites. Users must remain wary of any sponsored links appearing in the search results, particularly when looking for software download websites.

Fake Google Authenticator Sites Deliver Malware

In  the hackers pushed via Google Ads on search engine results to trick users.

As explained, the ad that caught the attention displayed the site “google.com” under the heading “Sponsored” among the search results for Google Authenticator. While the site’s name and URL looked legit, the metadescription looked different, and the specific mention of “Official Website” in the beginning sufficed to raise the alarm.

Investigating the advertisement revealed that an advertiser “Larry Marr” generated that ad, who had no specific link with Google. Moreover, clicking on the ad redirected the user through numerous intermediary links before arriving at the final phishing web page.

Again, the phishing site’s domain “chromeweb-authenticators.com” and an eerily similar webpage layout were enough to alert a savvy user of the phishing attempt. However, an average user or someone in a hurry to download Google Authenticator might not notice these signs and would download the malware.

Regarding the malware, the researchers noticed the campaign distributing DeerStealer (Spyware.DeerStealer).

Not The First Deerstealer Campaign

A similar malicious campaign first caught the attention of sandbox maker AnyRun, which shared the details about DeerStealer in its post. Despite differences in execution, these two campaigns distribute the same malware, which indicates a possible link between the attackers.

Regarding the malware, AnyRun identified DeerStealer as a spin-off of Xfiles, another potent stealer written in C. However, they also noticed some differences between the two. While Xfiles used the .NET platform, “DeerStealer is written in a language that compiles to machine code”. Likewise, Xfiles sends the stolen data to its C&C in a single POST request, whereas DeerStealer sends HWID and waits for the server response before sending the stolen data.

This campaign isn’t the first instance of Google Ads abuse. However, it reiterates the importance of keenness when interacting with websites, including those appearing on Google search results. Users must also equip their devices with antimalware solutions to prevent potential threats.

Let us know your thoughts in the comments.