Google’s Own Ads Turn Against It: Fake Authenticator Ads Spread DeerStealer Malware

Hot Take:

Who knew Google Authenticator needed protecting from Google Ads themselves? It’s like hiring a guard dog only to find out it’s been trained by the neighborhood cat burglars. Time to double-check those URLs, folks, because the only thing worse than not being authenticated is being DeerStealer authenticated!

Key Points:

• Google’s ad platform has allowed fake Google Authenticator ads to push DeerStealer malware.
• Threat actors use URL cloaking to make ads appear legitimate by showing ‘google.com’ domains.
• Malvertising campaigns have previously targeted KeePass, Arc browser, YouTube, and Amazon.
• Google blocked the specific fake advertiser but acknowledges ongoing detection challenges.
• Users are advised to avoid promoted results, use ad blockers, and verify URLs before downloading software.

Google’s Got a Glaring Ad Problem

Google, the tech giant that we all rely on for everything from searching for cat videos to finding the best lasagna recipe, has tripped over its own shoelaces. In an ironic twist that’s almost too juicy to be true, threat actors have been placing fake Google Authenticator ads on Google’s own platform. These ads are not just any shady pop-ups; they convincingly show ‘google.com’ as the click URL. It’s like buying a Rolex on a shady street corner and being surprised it’s a ‘Bolex’.

The Cloak of Invisibility

This isn’t Google’s first rodeo with malvertising. They’ve seen these kinds of shenanigans before with other big names like KeePass, Arc browser, and even Amazon. But Google’s ad platform seems to be as leaky as a sieve when it comes to detecting these fake ads. Threat actors use a sneaky trick known as URL cloaking, which makes their malicious ads look like they’re coming from legitimate domains. It’s like putting on an invisibility cloak but forgetting you’re wearing squeaky shoes.

Google’s Response: Better Late Than Never?

When Malwarebytes tipped off Google about the fake ads, Google promptly blocked the reported fake advertiser. But when asked why this keeps happening, Google pointed out that the threat actors are playing a game of Whack-a-Mole by creating thousands of accounts and using text manipulation to dodge detection. To combat this, Google said they are beefing up their automated systems and human reviewers. In 2023 alone, they removed 3.4 billion ads, restricted over 5.7 billion, and suspended over 5.6 million advertiser accounts. Impressive numbers, but clearly, a few bad apples are still slipping through.

Fake Sites, Real Malware

Clicking on these fake Google Authenticator ads will take you on a wild ride through a series of redirections, finally landing you on a site that looks eerily like an official Google page. The domain names are cunningly similar, like ‘chromeweb-authenticators.com’ and ‘authenticcator-descktop.com’. One click on the ‘Download Authenticator’ button, and you’ll get a signed executable named ‘Authenticator.exe’ hosted on GitHub. The malware is signed by seemingly legitimate companies, which makes it easier to bypass security measures and install itself on your device. And voila, you’ve just installed the DeerStealer malware, which will happily help itself to your credentials, cookies, and other sensitive info.

Don’t Click That Ad!

So, what’s a savvy internet user to do? First off, avoid clicking on promoted results in Google Search. Use an ad blocker to keep those pesky ads at bay, and always double-check that the URL you’re visiting is the official domain for the software you want to download. And for the love of all things digital, scan that downloaded file with an up-to-date antivirus tool before executing it. It’s better to be safe than sorry—or worse, DeerStealer-ed.