Google’s advertising network has been found serving a malicious ad that might end up seeing users have their identity data (opens in new tab) and other sensitive intel stolen.
Hackers have reportedly managed to trick Google Ad Manager into serving a fake ad for popular photo editor GIMP, meaning those who wanted to download the program only ended up with a potent infostealer called Vidar.
Whenever a victim typed in “GIMP” or a similar keyword in Google’s search engine, they’d be presented, among other things, with an ad showing GIMP’s official website – GIMP.org. However, actually clicking on the ad would not send the victim to that particular domain, but rather to gilimp.org, or gimp.monster. There, they’d be offered to download a 700MB-large file, an overinflated executable that’s actually just 5MB in size – the Vidar infostealer.
Tricking the system
How this was possible is still not entirely certain. While some researchers think the threat actor used the IDN homograph technique to make the Cyrillic gіmp.org – typed as http://xn--gmp-jhd.org/, appear as gimp.org in the Latin alphabet, others are of the opinion that the trick is actually far less elaborate.
In fact, BleepingComputer reports that Google lets publishers create ads with two different URLs – one to serve to the viewers, and the other one where they’ll actually be taken. Allegedly, Google’s pretty strict with these things allowing, for example, only those that use the same domain. How, or why, the Ad Manager allowed this particular campaign to go live is unknown. Google is still silent on the matter, and we’ll update the article if the search giant decides to elaborate.
Vidar is a known infostealer capable of grabbing browser (opens in new tab) information (passwords, cookies, stored credit card information, and similar), cryptocurrency wallet information, Telegram credentials, file transfer application information, and plenty of other sensitive data.
Via. BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba