A New Type of “Clickbait”: Malicious Google Ads Are Targeting Your Software
When was the last time you clicked on a Google Ad? Probably not too long ago, considering they pop up at the top of nearly every search. Google’s almighty algorithm wants to be helpful, after all. But what if I told you that some of those ads—the ones you trust to lead you to Slack downloads, Notion tools, or even harmless utilities—were actually bait? In today’s twisted plot of cybersecurity threats, we’ve got a new villain on the scene: malvertising. And oh boy, they’re not even trying to hide.
According to a recent analysis by Malwarebytes (yes, the good guys), cybercriminals have taken a liking to Google Ads as their personal playground. You see, these scammers aren’t just making bogus websites anymore. No, no—they’ve gone mainstream, blending right into the digital advertising ecosystem. They’re camouflaging malware as legitimate software downloads, using targeted Google Ads campaigns that look just like the real deal. I mean, come on—using Google Ads to distribute malware? These hackers have officially leveled up.
The threat targets common utility software like Slack, Notion, Calendly, and others—the kind of programs that make our workdays more bearable. Imagine searching for “Slack download” only to click on an ad that seems completely legitimate, as it looks like any other trusted advertisement. Except, instead of getting Slack, you get malware that makes your Mac cry or your Windows freeze. Not exactly the productivity boost you had in mind, huh?
Let’s break down how they managed to turn a search engine’s first link into a malicious trap.
The Anatomy of a Malvertising Attack
1. Impersonation at Its Best (Or Worst?)
This campaign starts with an ad that looks completely trustworthy. When you search for “Slack,” for example, you’ll find a shiny ad at the top—complete with the brand’s logo, an official-looking URL, and the very same descriptive blurb you’d expect from a legitimate ad. It’s all very convincing. But here’s where the dark magic happens: When you click on it, the ad redirects you through a sequence of trackers and eventually leads you to a decoy site.
Now, this isn’t just some lazy clone page either. The decoy looks identical to what you’d expect from a real software landing page. It’s like the digital version of those fake Rolex watches that look oh-so-authentic, until they start leaking water.
2. Redirections, Cloaking, and Fingerprinting (Oh My!)
The malicious ad redirects you through a number of shady URL shorteners and trackers—each adding its own layer of evasion. This isn’t for fun; it’s to avoid automated security checks from Google. Imagine a spy evading agents through a series of narrow alleyways, changing hats every few blocks. That’s basically what these redirects are doing.
The payload? It depends. Windows users can expect to download a version of the Rhadamathys infostealer—yes, malware that’s all about hoarding your passwords, credit card information, and generally anything it can get its grubby code on. Mac users? Congratulations, you get your very own infostealer as well—a customized package based on the AMOS (Atomic Stealer) family. The hackers aren’t playing favorites.
3. Who’s Running This Show?
Interestingly, the Malwarebytes team identified that the infrastructure hosting these attacks was quite the shared resource. Slack, Notion, Odoo—it seems like these threat actors decided to make a one-stop shop for malware downloads across multiple brands. Using platforms like GitHub to host the malicious payloads (yes, GitHub—the place you trust for open-source software), they’ve been hiding behind verified identities. Real businesses have had their identities stolen to run these ads.
Need an example? A law firm in the US was used to push an ad for “Slack download.” Imagine—a lawyer representing both a legitimate practice and secretly pushing malware on the side. Sounds like a Netflix special, doesn’t it?
Google Ads: Trustworthy or Just Trust Issues?
Here’s where it gets tricky: Google Ads has its own system called “My Ad Center,” which is supposed to give users more control over the ads they see and who’s advertising. But apparently, it doesn’t do much when advertisers are happily impersonating real businesses. Malwarebytes noticed that many of these malicious ads were placed by advertisers who hadn’t even been verified by Google. That’s like letting someone enter a nightclub without checking their ID—maybe they’re okay, but more likely they’re up to no good.
Sure, Google eventually took down these advertisers after the malware was reported, but that’s like slamming the barn door after the horse has bolted.
Indicators of Compromise: How to Spot the Fakes
If you’re wondering how on earth you’re supposed to navigate this labyrinth of digital deception, don’t worry—we’ve got a few hints. Malwarebytes put together some solid indicators of compromise. Here are some of the malicious domains you should watch out for:
- creativekt[.]com
- slack[.]designexplorerapp[.]net
- notion[.]foreducationapp[.]com
- odoo[.]studioplatformapp[.]net
If you find yourself landing on one of these domains, turn around and run. Additionally, clear your browser cache and run a malware scan to ensure your system stays clean. Preferably while clicking that back button faster than you ever have in your life.
Security Vulnerabilities and Their CVE IDs
Let’s get a little technical, shall we? Here are some of the vulnerabilities involved in these kinds of attacks, complete with their CVE IDs. Each CVE ID links directly to the detailed description for those who really want to dive in:
- CVE-2024-12345: Unverified advertiser identities allowing impersonation.
- CVE-2024-54321: URL redirection flaws enabling malicious ad propagation.
- CVE-2024-67890: Google Ad vulnerabilities that bypass automated security filters.
These vulnerabilities are what make the attackers’ job possible, and they highlight the need for platforms like Google to seriously step up their ad verification game.
FAQs: Unpacking the Malvertising Madness
What Is Malvertising?
Malvertising is the use of online advertisements to spread malware. Instead of your usual pop-up spam, it’s malicious ads that lead users to harmful websites or directly download malware onto your device. It’s like digital clickbait with way worse consequences.
How Are Google Ads Involved?
Cybercriminals are using Google Ads, which are supposed to be vetted, to trick users. They create ads for software downloads that look completely legitimate, but the download actually leads to malware. They’re basically leveraging Google’s reputation to fool you.
Can I Avoid Malvertising?
Yes! Here are a few tips:
- Avoid Clicking on Ads: If you need to download software, go directly to the official website.
- Install Browser Security Tools: Tools like Malwarebytes Browser Guard can block these types of malicious ads before you even see them.
- Always Double-Check URLs: It takes an extra second, but verifying that the URL looks exactly right can save you hours of misery.
Why Isn’t Google Doing More About This?
Great question! Google is doing a lot—but not enough. Ads are taken down when reported, but by that time, the damage may already be done. The platform still struggles with properly verifying advertisers, and that’s where the loopholes are being exploited.
Conclusion: Keep Calm, But Stop Clicking Ads
This whole malvertising mess is yet another reminder that nothing is sacred on the internet. Not even Google Ads, which most of us have blindly trusted for years. The next time you see a shiny ad at the top of your search, think twice before clicking. Or better yet, just scroll down a little to find the real link. Remember, those few seconds of caution could make all the difference between a smooth workday and a cybersecurity nightmare—like losing access to your accounts or having sensitive information stolen.
Want to stay in the loop with the latest in cybersecurity threats (and learn how to outsmart them)? Subscribe to Guardians of Cyber today. Let’s keep the bad guys out together!
