Google continues to face challenges with cybercriminals infiltrating its search platform to promote malicious ads that lure users into downloading corrupted versions of popular free software apps. These deceptive ads pop up above genuine search results and often precede links to legitimate sources of the same software, making it a risky pursuit to search for software on Google.
The tech giant claims that user safety is a paramount concern and boasts a team of thousands working tirelessly to establish and enforce abuse policies. While there has been a decline in the prevalence of bad ads leading to backdoored software compared to a year ago, cybercriminals continue to find clever ways to evade Google’s anti-abuse measures, and the frequency of malicious ads leading to malware remains high.
A recent example illustrates this issue – a Google search for the free graphic design program FreeCAD displayed a “Sponsored” ad at the top of the results promoting the software from freecad-us[.]org. While this website presents itself as the official FreeCAD site, it is actually a newer addition to a group of more than 200 domains at the internet address 93.190.143[.]252 that are deceptively similar to popular software titles. Some of these domains are content-stealing websites, while others provide legitimate software downloads but may later substitute these with infected versions. This malicious practice deceives users into downloading and installing backdoored software, allowing cybercriminals to infiltrate their systems.
Tom Hegel, a principal threat researcher at security firm Sentinel One, has tracked these dubious domains for over a year and reveals that the seemingly harmless software download sites occasionally alter their content to distribute backdoored versions of popular software titles. Moreover, these malicious downloads may selectively target visitors from specific regions. Hegel co-authored a report in February 2023, which identified a network of malicious ads dubbed MalVirt, attributing the surge in malicious ads spoofing various software products to the rise in malware infections from infostealer trojans such as IcedID, Redline Stealer, Formbook, and AuroraStealer.
Hegel notes that the volume of the ongoing malicious ad campaigns remains relatively low compared to the past and remarks on the intricate tactics used by cybercriminals to gain credibility on search engines before disseminating harmful content. While Google has blocked some of the websites at the Netherlands host (93.190.143[.]252), many others remain, raising questions about the comprehensive nature of Google’s response to malicious ad campaigns.
In response to inquiries from KrebsOnSecurity, Google emphasizes its commitment to creating a secure ads ecosystem and preventing malware from permeating its platforms. The company reports that it removed billions of ads and suspended millions of advertiser accounts in 2022 due to policy violations. Despite this, the occurrence of malicious ads continues, with new additions to the rogue domains appearing frequently, including those mimicking download sites for Corel Draw, Github Desktop, Roboform, and Teamviewer.
As users confront the reality of encountering these malicious ads, they have taken to forums to share their experiences and alert others. Some have fallen victim to the scam, downloading corrupted versions of software from deceptive websites and calling on others to report these sites to Google.
The identities of those behind the malicious ad campaigns remain elusive, with limited leads pointing to the origins of the deception. The domains in question were registered through webnic.cc, and some display placeholder pages containing hidden comments in Cyrillic. Attempts to track the criminals through Google’s Ad Transparency tools have yielded little information, leading to suspicions that the advertising accounts used to fund these malicious ads may have been compromised as well.
While Google’s efforts to combat these malicious ad campaigns are commendable, the prevalence of deceptive and harmful online activity underscores the persistent challenges that tech companies and users face to stay safe and secure in the digital realm.