Hackers Impersonate Google on Ads to Distribute Malware: How the Scam Works

Hackers are taking advantage of Google Ads to impersonate Google and deceive users into downloading malware disguised as the Google Authenticator. These malicious ads, which appear to be verified by Google, are part of a growing trend of brand impersonation on the platform.

According to a report by Malwarebytes Labs, innocent victims searching for the Google Authenticator may unknowingly install malware on their devices. The scam works by presenting fake ads that mimic official sources, with verified advertiser identities. In one example, the ad for the Google Authenticator displayed the official Google website and a legitimate description, but the advertiser, “Larry Marr,” was found to be fake.

Upon clicking the ad, users are redirected through multiple intermediary domains controlled by the attacker, eventually landing on a fake Authenticator site. The fraudulent site then prompts users to download a file named Authenticator.exe from GitHub, signed by an unknown company, Songyuan Meiying Electronic Products Co., Ltd.

The downloaded file contains DeerStealer malware, designed to steal personal data from the victim’s computer. The threat actor utilized GitHub as a trusted cloud resource to host the malware, exploiting the platform’s credibility. Malwarebytes Labs warns against downloading software from ads and recommends visiting official repositories directly.

This incident highlights the prevalence of scammers using verified status on Google Ads to deceive users. Similar scams have been reported on other platforms like Facebook. As cybersecurity threats continue to evolve, it is crucial for users to exercise caution and verify the legitimacy of sources before downloading any software.