A recent cybersecurity incident highlights the ongoing issue of brand impersonation through Google ads, with the latest target being Google itself.

Users attempting to download the popular Google Authenticator app via Google search in the past few days may have inadvertently installed malware on their devices.

Fake Ad Tricks Users into Downloading Malware

Fraudulent activity involves malicious ads that appear to be from legitimate sources. When users searched for “Google Authenticator” on Google, they were shown a fake ad that redirected them to a decoy website, leading to malware installation.

This type of impersonation not only deceives users but also erodes trust in the brands and Google searches.

Analysis of the Fraudulent Website and Malware Distribution

The fake ad directed users to a fraudulent site, chromeweb-authenticators[.]com, registered by NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day the ad appeared. The site’s source code reveals that it downloaded a file named Authenticator.exe from a GitHub repository. The repository, created by a user with the handle “authe-gogle,” hosted the malicious payload under the “authgg” repository.

Buy Me A Coffee

Details of the Malicious Payload

The Authenticator.exe file was digitally signed by “Songyuan Meiying Electronic Products Co., Ltd.” and the signature was still valid at the time of discovery. The malware, known as DeerStealer, is designed to steal personal data and exfiltrate it to an attacker-controlled website, vaniloin[.]fun.

Implications and Recommendations

This incident underscores the need for vigilance when downloading software, even from seemingly legitimate ads and sources. Users should always verify the authenticity of download links and consider using direct links from official websites rather than relying on search ads.

READ
Indiana Man Pleads Guilty to $37 Million Cybercrime and Money Laundering Scheme

Google and other platforms must continue to improve their ad verification processes to prevent such incidents and protect users from malicious actors exploiting their services.

Stay informed and cautious to safeguard your digital security against ongoing threats like these.