Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2016
12:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Google Adwords Malvertising Campaign Targets Apple Macs

Cheeky attackers make their lure an ad for Google Chrome.

Apple Mac owners using the Google search engine may have been infected via malicious ads at the tip-top of their search results last week after attackers launched a malvertising campaign against Google Adwords. In an act of gumption or plain cheek, the attackers' malicious lure of choice was a phony ad for one of Google's own products, Google Chrome.

"I didn't think anyone had the guts to squat on Google's own page," says Cylance security researcher Jeffrey Tang, who discovered the attack while seeking a Chrome downloader for his girlfriend.

Similar to a campaign discovered by Malwarebytes last year, the malvertisers in this attack legitimately paid to bid on popular keywords to so that their ads would appear at the top of the search engine results page when those keywords were used. The campaign found last year used "youtube." This one used the words "google chrome."

Tang did the search, saw the ad for Chrome, and clicked on it - which he confesses was "mindless," but he "had no indication there was something strange." 

The ad itself showed a display URL of www.google.com/chrome. The URL displayed in the lower right-hand corner when scrolling over the link showed the same "legitimate-looking display URL."

Yet, as Tang describes in a blog today: "clicking on the ad takes a user to www(dot)entrack(dot)space and then redirects the user to googlechromelive(dot)com – a page offering a free download of Google Chrome." 

Tang spotted this as "totally not a legitimate page." He found a safe place to download Chrome for his girlfriend, then did more digging.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

 

The "Chrome" download link will redirect Windows users to a page that delivers an error message that claims there is a DNS failure. Mac users, however, are redirected through a variety of other domains and ultimately infected with a malicious installer for OSX: OSX/InstallMiez, a.k.a. OSX/InstallCore. As Tang explains on his blog today:

"...the malicious download link redirects macOS users through ttb(dot)mysofteir(dot)com, servextrx(dot)com, and www(dot)bundlesconceptssend(dot)com then ultimately downloads a malicious file named FLVPlayer.dmg. The malware hash changes on each download, making it difficult to detect and track.

... Once the installation [of FLV Player] is completed, the browser is redirected to a scareware page at ic-dc(dot)guardtowerstag(dot)com. Clicking on the link takes the user to macpurifier(dot)com – a potentially unwanted program (PUP) claiming to cleanup OS X computers."

Tang describes the attackers as middlemen, installing someone else's malware and paid per install. The fact that the malvertisers have targeted Mac is a sign that attackers have recognized Apple's market share is growing, Tang notes.

But it's also possible that the campaign could have been planned for PCs as well. The fact that Windows users are redirected to a page that returns an error message could mean "either there's a misconfiguration or it's not set up yet," he says. "I'd like to think they're equal opportunity malvertisers," he added, wryly. 

The campaign might have been stopped from the beginning, however, if there had been a more rigorous verification process when creating the ad. If Google AdWords and other ad networks verified that an ad re-directed to the same URL it displayed, it could prevent malvertising threats like this. 

He acknowledges that there is a massive scalability challenge if ad networks need to do this verification with a manual process, but says that he thinks it's "ridiculous" that at least the primary domain isn't matched. 

"It blows my mind," says Tang, "that here we are, it's 2016, and we're still allowing this mischievous behavior."

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32693
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
CVE-2021-32424
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
CVE-2021-32426
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
CVE-2021-32694
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
CVE-2021-32695
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...