1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Google Ads are being hijacked to serve up dangerous malware

    From TechnologyDaily@1337:1/100 to All on Fri Sep 15 12:15:04 2023
    Google Ads are being hijacked to serve up dangerous malware

    Date:
    Fri, 15 Sep 2023 12:00:02 +0000

    Description:
    A malvertising campaign has been found on Google masquerading as a convincing download page for Cisco Webex.

    FULL STORY ======================================================================

    Google Ads are once again being used to spread malware , this time under the guise of an official Cisco Webex download portal.

    The ads for the video conferencing software appear very real, but they only redirect victims to sites that contain the BatLoader and DanaBot malware.

    Security firm Malwarebytes found that the campaign was ongoing for a week and appears to be the work of attackers based in Mexico. The malicious ad was ranking in the top spot on Google for the search term "Webex". Bad Webex

    The advertisement is so compelling as it uses the real Webex logo and URL, webex.com, as the link. It makes use of an exploit in tracking templates that allows threat actors to redirect links to wherever they want.

    Even though Google requires that the URL displayed by an ad must belong to
    the same domain as the final URL destination that a user is taken to, the tracking template can be used to redirect users to a different URL.

    The threat actors in this campaign used the malicious "trixwe.page.link" link in the tracking template, while the final URL was listed as "webex.com". So users who clicked saw the latter, but were sent to the former.

    What's more, the bad link appears to block visits that come from security researchers or crawlers. For users that the actors actually want to target, they are sent to a further site where more checks are conducted to make sure again they are not researchers using a sandbox environment.

    Finally, users that they want to victimize will be sent to the site "webexadvertisingoffer[.]com" that deploys the malware, whereas those that
    are filtered out will be redirected to the legitimate Webex site.

    On the fake page, there are download links ostensibly for Webex which, if clicked, will trigger the installation of BatLoader. This will then lead to the execution of the DanaBot malware, a banking trojan from 2018 that can steal passwords, take screenshots, load ransomware modules, hide bad C2 traffic and use HVNC to give remote access.

    It is always best practice when downloading software to ignore promoted
    search results on Google and go direct to a trusted source, such as the vendor's own site. Google has since told BleepingComputer that it has, "taken appropriate action against the associated accounts" in this case. MORE FROM TECHRADAR PRO Here is the best firewall you can get Facebook is being flooded with fake ads that are actually malware Don't be fooled by fake ads for this file transfer service - they could lead to malware



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/google-ads-are-being-hijacked-to-serve- up-dangerous-malware


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)