Careful before clicking that Google Ad: The rise of malvertising
Cybercriminals are always looking for new ways to target unsuspecting people and they are increasingly relying on Google Ads to conduct their exploits. AWS customers were the latest target after security researchers discovered a malvertising campaign trying to steal user cloud credentials.
Researchers from security firm, SentinelOne flagged a fake AWS ad on Google that was trying to trick users into revealing their AWS login credentials. The ad was ranked second behind the official AWS site and the fact that these malvertising campaigns appear at the top of search engines is what makes them so dangerous.
To make the ad undetectable by Google’s ad-fraud detection tools and further trick users, the cybercriminals used redirects for the ad. So, on the first click, you would be taken to a blog which then redirected you to the phishing site resembling AWS official site.
“The ad itself goes to a hop domain, which is an actor-controlled blogger website. This first hop then redirects to the actual credentials phishing page hosted on a second domain,” said Tom Hegel, a senior threat researcher at SentinelOne.
“After the victim submits their credentials, a final redirect sends the victim to the legitimate AWS login page. The redirect represents an effort to evade detection by cautious users, but more importantly to evade automated detection of the phishing websites and malicious ads by monitors,” he added.
The accounts for the threat actors have already been shut after SentinelOne reported the phishing campaign to Cloudflare.
This is not the first time malicious users have tried to trick AWS users and SentinelOne believes there is a relationship between the recent campaign and previous phishing attempts.
Multiple AWS phishing sites were recently reviewed and the researchers noted several similarities.
“Several characteristics unique to the phishing pages are noteworthy, including the layout, design, and efforts to hinder analysis as well as the developers’ spoken language,” Hegel said.
Just last month, Bitwarden users also reported that malicious Google ads were being used to redirect customers to sites containing malware.
And just a few days before that, a cryptocurrency influencer lost access to their NFT wallet and substack account through a malvertising campaign targeting the OBS streaming platform.
This has led to a public outcry with users questioning Google’s efforts to tackle the issue. “The ease with which these attacks can be launched, combined with the large and diverse audience that Google ads can reach, makes them a particularly potent threat,” researchers from SentinelOne said adding that it was a serious threat not just to average users but network and cloud administrators.
Whether or not Google takes corrective action remains to be seen. In the meantime, you may want to be more careful before clicking that Google Ad.