Hackers are creating bogus websites for popular free and open-source software to push harmful downloads through Google ads search results.

A user has claimed that hackers took their crypto assets and their professional and personal accounts through this campaign.

A crypto influencer Alex, also known as NFT God on social media, was hacked after running a bogus executable.  He ran the Open Broadcaster Software video recording and live streaming software that they downloaded from Google search results ads.

Alex tweeted about their weekend encounter that nothing occurred when I clicked the EXE. However, his friends informed him a few hours later that his Twitter account was hacked.

Alex had no idea that this was most likely information-stealing software. Which took users’ stored browser passwords, cookies, Discord tokens, and cryptocurrency wallets and transferred them to a remote attacker.

Later, Alex discovered that his OpenSea NFT marketplace account was also hacked. Instead, another wallet was displayed as the owner of one of their digital assets.

Alex soon learned that their Substack, Google Workspace email, Discord, and bitcoin wallets were in the hands of the hackers.

While this is not a novel strategy, threat actors appear to be employing it more frequently. BleepingComputer reported a huge attack that used more than 200 typosquatting domains for over two dozen companies to deceive users.

The method of dissemination was unknown at the time. Additional findings from cybersecurity firms indicated that hackers were leveraging the Google Ads infrastructure to promote harmful files in searches.

Barrage of fraudulent ads in Google search results

Following the thread started by NFT God, BleepingComputer performed its investigation. They discovered that OBS is among the list of applications that hackers imitate to promote harmful files in Google ads.

A Google Ad search result for Rufus, a free application for manufacturing bootable USB flash drives, is also an example.

The hacker registered domains that seem like the real ones. They then cloned the major chunk of the authentic site up to the download area.

They also utilized the generic TLD “pro,” to whet victim curiosity and lure them with the promised advanced set of software features.

Please note Rufus has no advanced variation. There is just one version accessible on GitHub as an installable or portable variation.

The malicious version’s download is routed through a file transfer service. Many antivirus engines do not recognize it as a threat since it is an archive bomb.

Notepad++, a text, and source code editor, is another commonly impersonated software. The threat actor exploited typosquatting to construct a domain that looked identical to the official developers.

A security researcher discovered that phony Notepad++ downloads under the sponsored part of Google search were accessible via extra URLs. All files are flagged as malicious by several antiviruses (AV) engines on the Virus Total scanning platform.

BleepingComputer has discovered a website full of bogus software downloads delivered purely through Google Ads search results. The website impersonates Zensoft Tech, which looks to be a reputable web design business in India.

Typosqatted URL

Unfortunately, it is not yet confirmed if the downloads were malicious. However, given that the domain is a typosquatted URL, the site prevents search engines from indexing content. So, the downloads are promoted solely through ads in search results, which is a strong indication of malicious activity.

The file compression software 7-ZIP, WinRAR, and the famous video player VLC were also among the products on the website.

Threat actors from another domain distributed a malicious version of the CCleaner application. The app is for cleaning possibly unwanted files and incorrect Windows Registry entries.

The hackers attempted to outbid the genuine developer to have their ad show first. The genuine CCleaner website is shown behind the malicious advertising. The website advertised a CCleaner.zip file that installed Redline data-stealing malware.

Several online security website researchers have discovered further URLs offering harmful downloads imitating free and open-source software. It appears that hackers are increasingly attracting people through sponsored search results on Google.

A cybersecurity website has compiled a list of 70 websites that are distributing malware via Google Ads by imitating real applications.

The websites are clones of legitimate ones. They either provide fraudulent software or refer to a different download point. Many of them include Audacity, while others include VLC and the image editor GIMP.

When browsing for the open-source 3D design suite Blender 3D, one user almost fell for the trap. According to the repair website team, three fraudulent advertisements for this product preceded the link from the genuine developer.

Investigation so far

A security researcher examined one of the samples labeled as dangerous by various AV software. He observed that it contained an incorrect signature from a cybersecurity company.

The researchers were unable to verify if the malware was transmitted in all cases. However, the payload in some cases matched the RedLine Stealer that was on the bogus CCleaner site.

This virus gathers sensitive data from browsers including credentials, credit card information, and autocomplete information. It also collects system information like username, location, hardware, accessible security software, and cryptocurrencies.

A threat actor disseminated the. NET-based remote access SectoRAT malware, also known as Arechclient2, through bogus downloads for Audacity.

The researcher also discovered the Vidar info-stealer transmitted via malicious Blender 3D files offered in Google Search. Vidar is primarily interested in stealing sensitive information from browsers, but it can also steal bitcoin wallets.

Some of these findings were shared with Google. The official assured users that the platform’s regulations are developed and enforced to prevent brand imitation.

Google claims it is against their strict standards to run advertising that masks the advertiser’s identity or impersonates other companies. They strictly enforce these standards. They investigated the ads in question and deleted them.

Workspace Google‘s parent company stated that it will investigate if other adverts and sites mentioned violate its policy and will take appropriate action.

Ad-blockers may improve security

Last year the FBI issued warned about the use of sponsored advertising in search results as a malware delivery mechanism.

They stated that these ads appear at the top of the search without differentiation between an advertisement and a genuine search result. They connect to an Identical web page to the legitimate webpage of the impersonated business.

As a result, fraudsters have a higher chance of spreading their virus to a wider number of unwitting individuals.

It is usually a good idea to check the URL of a download source. When combined with the usage of an ad-blocker, protection against this sort of danger is significantly reduced.

Ad-blockers are add-ons available in most web browsers. As the name implies, they prevent advertising from being loaded and shown on a web page, including search results.

They make the internet more comfortable to use. Ad-blockers improve privacy by blocking tracking cookies in adverts from gathering data about your surfing behavior.

However, in this scenario, such extensions can make all the difference between losing access to sensitive information or online accounts and obtaining digital resources from trustworthy providers.