A new malvertising campaign has surfaced that makes use of Google Ads to target users looking for password managers.

Cybercriminals have increasingly been abusing the Google Ads platform to trick unsuspecting users into clicking on fake websites that spread malware. Earlier, the FBI had warned about the explosion of such attacks that impersonated websites involved in finances and duped users into sharing their login credentials and financial information.

What’s the matter?

Researchers at Malwarebytes Labs discovered that users looking for popular password managers, such as 1Password, were directed to fake sponsored websites that popped up as the top results. 
  • While the first one lead to the legitimate domain 1password[.]com, the second one pointed to start1password[.]com. 
  • Both claimed to be for 1Password and included HTTPS in the URL, which made it harder for someone to determine which one to follow.

Previously observed attack trends

  • The DEV-0569 threat actor had abused Google Ads to distribute malware, steal victims' passwords, and ultimately breach networks for ransomware attacks.
  • The new Rhadamanthys Stealer was also making round in the wild by luring victims to phishing sites mimicking popular software via Google Ads.
  • In a different case, hackers had also leveraged the Google Ads platform in a MasquerAds campaign to spread malware via fake websites that pretended to be official sites for MSI Afterburner, Slack, Dashlane, Malwarebytes, Grammarly, Audacity, OBS, and Thunderbird.  
  • The malware distributed in the campaign included variants of Raccoon Stealer and the IcedID botnet.

Stay safe

Internet users should be cautious when dealing with promoted search results since they carry all signs of legitimacy. A major sign of foul play is the domain name that may resemble the official one but has swapped characters in the title or a single mistaken letter. An ad-blocker on a web browser helps filter out promoted results from Google Search by blocking these campaigns.
Cyware Publisher