Google ads push fake Google Authenticator site installing malware

Google ads push fake Google Authenticator site installing malware

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Google ads push fake Google Authenticator site installing malware

Information:

  Google Ads, formerly known as Google AdWords, is an online advertising platform developed by Google that allows businesses to create and manage ads on Google Search and the Google Partner Network effectively.

   Google Authenticator is an application used for two-factor authentication (2FA), making your online accounts more secure. In addition to your own password, you will also need to enter a special code generated by this app in real time.

Incident :

   Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware. To make matters worse, threat actors have been able to create Google search ads that show legitimate domains, which adds a sense of trust to the advertisement.

   In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search.

   What makes the ad more convincing is that it shows 'google.com' and "https://www.google.com" as the click URL, which clearly should not be allowed when a third party creates the advertisement.

Picture 1 Verified advertiser account

Malwarebytes noted that the advertiser's identity is verified by Google, showing another weakness in the ad platform that threat actors abuse and when asked how threat actors can take out ads impersonating legitimate companies, Google said that threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites than a regular visitor would see. 

  However, the company is increasing the scale of its automated systems and human reviewers to help detect and remove these malicious campaigns. These efforts allowed them to remove 3.4 billion ads, restrict over 5.7 billion ads, and suspend over 5.6 million advertiser accounts in 2023.

Fake Google authenticator sites

  Clicking on the fake Google Authenticator ads take the visitor through a series of redirections to the landing page at "chromeweb-authenticators.com," which impersonates a genuine Google portal.

  Clicking on the 'Download Authenticator' button on the fake sites triggers a download of a signed executable named "Authenticator.exe" [VirusTotal] hosted on GitHub.

Picture 2 The malicious site spreading DeerStealer

The valid signature gives the file credibility on Windows, potentially bypassing security solutions and allowing it to run on the victim's device without warnings.

  When the download is executed, it will launch the DeerStealer information-stealing malware, which steals credentials, cookies, and other information stored in your web browser.

Picture 3 Valid signatures on different samples of the malware

Recommendation:

  - Users looking to download software are recommended to avoid clicking on promoted results on Google Search

  - use an ad blocker, or bookmark the URLs of software projects they typically use.  - Before downloading a file, ensure that the URL you're on corresponds to the project's official domain.

  - always scan downloaded files with an up-to-date AV tool before executing.

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

References :

  - https://www.bleepingcomputer.com/news/security/google-ads-push-fake-google-authenticator-site-installing-malware/

  - https://insight.sosecure.co.th/news/public/news/detail/a170712f-27d2-4c1d-b5d6-aeac8b5f4435/th

  - https://www.nasdaq.com/articles/fake-google-authenticator-ads-spread-deerstealer-malware

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2024-6431

27/07/2024

29/07/2024

Media.net

Remote Code Execution (RCE)

9.9

The Media.net Ads Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and missing capability check in the 'sendMail' function in all versions up to, and including, 2.10.13. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is only exploitable if anyone has ever logged in through the API.

Update to version Plugins

https://patchstack.com/database/vulnerability/uipress-lite/wordpress-uipress-lite-plugin-3-4-06-sql-injection-vulnerability?_s_id=cve
2

CVE-2018-13379

24/07/2024

25/07/2024

Fortinet

Path Traversal

9.8

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests

Update to version FortiOS 6.0.5
Update to version FortiOS 5.6.8
Update to version FortiOS 5.4.13
Update to version FortiProxy 1.2.8

https://www.opencve.io/cve/CVE-2018-13379
3

CVE-2024-38773

22/07/2024

29/07/2024

Adrian Tobey FormLift

Blind SQL injection

9.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17

Update to version 7.5.18

https://nvd.nist.gov/vuln/detail/CVE-2018-13379
4

CVE-2024-0519

16/01/2024

26/07/2024

Chrome

Out-of-bounds memory access

8.8

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Update to version 120.0.6099.224

https://www.opencve.io/cve/CVE-2024-0519
5

CVE-2024-23296

05/03/2024

30/07/2024

Apple

Out of bounds wirte

7.8

Amemory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Update to version iOS 17.4

https://www.opencve.io/cve/CVE-2024-23296

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Gh0stGambit Campaign​

30/07/2024​

phishing, malware attack, ransomware​

In the latest targeted attack campaign, the Gh0stGambit installer and the Gh0st RAT malware used by the attacker targets Windows users in China by spoofing the Google Chrome website to trick users into downloading a fake Chrome installer. The installed Gh0st RAT malware is capable of deleting files, taking remote control of machines, stealing data, installing the Mimikatz tool, enabling the RDP protocol, erasing Windows event logs, and wiping web browser data. The attack uses a spoofed website download method that tricks users into believing they are downloading safe software from a trusted source, making it easier for non-technical users to fall victim to the attack.​

  • 1.Beware of phishing emails, do not open attachments and download from untrusted sources.​

    2.Always keep your antivirus turned on.​

    3.Training on website usage awareness and access.​

Ref : https://www.scmagazine.com/brief/novel-dropper-leveraged-for-gh0st-rat-deployment

09 August 2024

Viewed 129 time

Engine by shopup.com