Several newly-emerged credential-stealing threats, including Redline and Taurus, are being distributed via pay-per-click (PPC) advertisements in Google’s search results.
In an advisory published on Wednesday, researchers from the security company Morphisec said that they have studied adverts shown on the first page of search results, and have found that they are being used to spread malicious AnyDesk, Dropbox, and Telegram ISO image downloads.
Malicious ads for AnyDesk, a popular remote desktop solution, have already been shown in Google search results before. Trojanized AnyDesk advertisements that delivered a version of the app with a Trojan instead even managed to outrage the company’s ad campaign on Google, reaching higher in sponsored results.
For this new campaign, the researchers noted that the Google PPC adverts targeted IP addresses in the United States, but didn’t exclude the possibility that other countries might also be a target. According to their findings, non-targeted IPs are led to websites that include genuine programs that are downloaded.
What has become clear from the research is that malicious actors have discovered how to circumvent Google’s malvertising protection and use Google AdWords for their benefit. Professionals who are part of the Morphisec research group discovered that a simple search for “anydesk download” leads to three Google AdWords adverts that funnel users to malicious info stealers. The first two commercials in the sequence both link to the Redline info stealer, whereas the third one leads to the Taurus info stealer.
As described, all the attacks begin with a certain kind of sponsored Google advertisement that leads to a website hosting an ISO image, which is large enough to avoid detection via regular scans.
The main conclusion pointed in the advisory is that, just as advertisers will use all means available to reach targets, no matter how much money that will cost them, online crooks will also use every tactic imaginable to get a malicious website on the top of Google search results.
Therefore, organizations need to be always watchful in all aspects of their operations in order to avoid having to deal with the threat actors’ inventiveness.