Home Tech News Google-hosted malvertising leads to fake Keepass site that looks genuine – Ars Technica

Google-hosted malvertising leads to fake Keepass site that looks genuine – Ars Technica

by Norman Scott

Google Caught Hosting Convincing Malicious Ad

Google has recently come under fire for hosting a malicious ad that has managed to deceive even the most security-savvy users. The ad, disguised as a promotion for the popular open-source password manager Keepass, appeared on Google’s platform, giving it an air of legitimacy. Clicking on the ad took users to a website with a URL that closely resembled the genuine Keepass site, further adding to the deception.

The fake website, ķeepass[.]info, is actually an encoded version of xn--eepass-vbb[.]info, which is associated with a malware family known as FakeBat. This combination of a convincing ad and a nearly identical URL creates a perfect storm of deception. Users are initially lured in by the legitimate-looking Google ad, only to be tricked by the lookalike domain.

Jérôme Segura, head of threat intelligence at security provider Malwarebytes, revealed this clever malvertising attack in a recent blog post. He highlighted how users are first deceived by the ad on Google and then again by the fake website. The attackers behind the scam have managed to create a highly convincing facade that has the potential to dupe even the most cautious users.

Interestingly, Google’s Ad Transparency Center shows that the ads were paid for by Digital Eagle, an advertiser whose identity has been verified by Google. This raises questions about the effectiveness of Google’s ad vetting process and their ability to detect fraudulent ads before they are displayed to users.

The punycode encoding scheme used in this scam allows attackers to represent Unicode characters in standard ASCII text. This encoding technique has been previously exploited in other malware scams, such as one where scammers used Google ads to direct users to a website that appeared almost identical to brave.com. In that case, users were tricked into downloading a fake, malicious version of the Brave browser.

Unfortunately, detecting malicious Google ads or punycode encoded URLs is not easy. The imposter site appears legitimate, and even inputting the URL into major web browsers leads to the fake site. One option for users to verify the authenticity of a site is to manually type the URL into a new browser tab. Another approach is to inspect the TLS certificate to ensure it belongs to the website shown in the address bar. However, these methods are not foolproof and can be time-consuming.

Google has not yet responded to inquiries regarding this incident. In the past, the company has claimed to promptly remove fraudulent ads once they are reported. However, this incident raises concerns about the effectiveness of their detection and prevention measures.

As attackers continue to evolve their tactics, it is crucial for users to remain vigilant and cautious while browsing the internet. Staying informed about the latest cybersecurity threats and employing good cybersecurity practices, such as keeping software and security tools up to date, can help protect against these types of scams.

You may also like