To highlight their trap, without being blocked by Google, hackers have created two sites: the first, harmless, redirects directly to the second, a fraudulent copy of official products.
Hackers advertise on Google. Two cyber companies, Guard.io and Trend Microspotted malware promotion campaigns and detailed their research in their respective reports published on December 28. Among the usurped products, we find Slack, μTorrent, Teamviewer, Audacity, Brave or even Libre office.
Hackers create clone sites of official companies and then offer to download the software in question. The file actually hides a stealer — a popular malware that searches browser files to steal passwords — or a botnet to infect the computer. Specifically, cyber experts have detected Raccoon Stealer software, a customized version of Vidar Stealer, and IcedID botnet.
The Google Ads platform helps advertisers promote their page on the browser, placing them at the top of the results list in the form of advertisements, often above the official website. Internet users who would look for legitimate software on their browser, without an ad blocker, are likely to click on the first link that appears.
Naturally, if Google detects a fraudulent site, the campaign is blocked and the ad removed. However, the criminals have found a trick. A first site is created, with a domain name similar to the targeted product, but the page itself has no connection with the software. Once the victim clicks on this first lure, the latter immediately redirects to the second platform, a true copy of the product sought by the Internet user.
Credential theft in the crosshairs
This method is gaining popularity among criminals. Other campaigns have been spottedone of them targets MSI Afterburner, a graphics card management software, known to gamers.
The payload, which often comes in the form of a ZIP file, is downloaded from public code hosting platforms such as GitHub, Dropbox or Discord. This technique ensures that the antivirus program running on the victim’s computer does not interfere with the download.
The main objective of the pirates being to steal the identifiers of the victim thanks to this software which comes to search in the managers of password. To avoid falling into the trap, we can only advise to avoid clicking on the first sponsored links. In case of doubt, the official domain of a product is indicated on the Wikipedia page of the software.
