Attackers are infiltrating your Google search results with money-stealing ads
A fake ad in a Google search result claims to be a Webex video conferencing site. Image: MalwareHunterTeam
BY KERRY TOMLINSON, AMPERE NEWS
Doing a search online? Watch out for fake Google ads promoting criminal sites that can steal your money and passwords.
Researchers are turning up round after round of these fake ads roosting at the top of your search results. And in one case, the thieves hacked someone's accounts and helped themselves to a "life-changing" amount of digital money.
It's not just digital money at risk. We show you how the scheme works in this episode of Cyber Tricks Revealed.
Watch here:
Every Account Hacked
Let's say you're searching for a popular software like TeamViewer, Slack, or Discord, to name a few. You see an ad at the top of your search results that looks like the real thing.
You might just click on the ad, go to the site, and download the software onto your computer. But the ad is fake. And the software is downright criminal --- a malware that could bleed you dry.
This is what happened to a Twitter user called "NFT God," who also goes by the name "Alex," with more than 90,000 followers. Alex tweeted on January 14 that their entire digital livelihood was violated.
"Every account connected to me both personally and professionally was hacked and used to hurt others," Alex wrote, adding that they also lost a life-changing amount of their net worth.
What Happened
Alex described the hack in a series of posts on social media. In a search for the streaming software OBS --- Open Broadcaster Software --- on Google, an ad popped up claiming to be the real OBS site. Alex clicked on the ad and downloaded the software but noticed that nothing seemed to happen.
Within hours, Alex's world fell apart.
Instead of downloading OBS, Alex had downloaded a malware that could steal passwords and allow the thieves to take over accounts and transfer digital money.
The damage included, according to Alex:
All accounts hacked and used to send out thousands of spam emails with malicious links.
Alex's cryptocurrency --- with a value of about $27,000 worth, according to Coin Telegraph --- stolen.
Alex's digital art piece called an NFT, or non-fungible token, burgled, with an estimated price of about $25,000 as per Coin Telegraph.
Alex called the attack "instantly violent and final."
"The hackers sent two emails to my 16,000 closest fans with hacked links. Trust I've worked over a year to build was gone. Losing a chunk of my net worth is nothing compared to losing the trust of my community," Alex tweeted.
String of Attacks
Last April, people searching for cryptocurrency platforms like Astroport ran into fake Google ads and lost more than $4 million, according to blockchain security company SlowMist.
The year before, people looking for sites like the Phantom crypto wallet met up with the fakes and lost about $500,000 in cryptocurrency in just a few days, reported security company Check Point.
This year, researchers are already finding scores of false ads in searches for popular software like TeamViewer, Slack, Citrix, Discord, Docker, Microsoft OneNote, AnyDesk, Notepad++, Lightshot, LibreOffice, and many more.
You can see more examples of these fake ads in our video and from these researchers, among others: MalwareHunterTeam, Will Dormann, and Germán Fernández.
What’s the damage?
Clicking on the ads and downloading the malware can do much more than leak your digital money.
Some of the malware found in these poisonous ad campaigns can do things like take screenshots of your screen, dig out your passwords, credit card numbers, and banking information, and steal messages from your messenger apps, research shows.
Attackers can go on to take over your accounts and use them to attack others. They may even launch ransomware on your machine, which can hold your computer hostage until you pay money.
What to Do
OBS itself warned about the fake ad attacks last summer.
"Only download OBS from our official site, obsproject[.]com, and never click any ads claiming to be OBS," the OBS account tweeted.
The FBI issued an alert about the fake ads in December. The alert makes three recommendations to avoid the attack:
Check the web address of an ad before you click. The address may be a few letters off, or it may have nothing to do with the software you're searching up.
Type the site's full address into the address bar instead of doing a search.
Use an ad blocker, or software that blocks ads on sites, when doing a search.
Attackers may also be able to fake the web address that shows up in the search so that it looks like the real web address. You may have to look for other clues, such as the language and spelling in the site description. If you do click on the ad, check the web address of the site that follows to see if there are any misspellings or odd words.
What is Google doing?
Google policies say the company does not allow advertisers to run ads that abuse the ad network, like promoting content that contains malware. Clearly, the attackers have been able to do so despite the policies.
Tech news site BleepingComputer asked Google about some of the fake ads. Google told the site, "We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands, and we enforce them vigorously. We reviewed the ads in question and have removed them."
Here's where you can report a fake Google ad if you see one. If the current pattern continues, you may spot many more before the year is through.
