Google Dynamic Search Ads Abused to Unleash Malware 'Deluge'

A researcher has uncovered a new method of using vulnerable websites to deliver malicious, targeted ads to search engine users, capable of delivering a tsunami of malware that can overwhelm victims completely.

The key is "dynamic search ads," a feature in which Google uses the content of a website landing page to pair targeted ads with searches. In an Oct. 30 blog post, Jerome Segura, senior director of threat intelligence at Malwarebytes, described how an attacker used a fake software ad on a compromised website to take advantage of this feature, targeting search engine users.

And, remarkably, it all may have been by accident.

"I think the ad itself is really kind of accidental, in the way that it was created. The fact that I saw it [in a Google search], I don't think the threat actor planned it at all," Segura posits.

Malvertising With Dynamic Search Ads

"I didn't see the site first, I saw the ad first," Segura recalls. He was searching for common keywords used by hackers — often fake advertisements for office applications, remote monitoring software, and so on. In this case, the keyword was "PyCharm," the development environment for Python programming.

The search yielded the following, sponsored result:

Source: Malwarebytes

While the headline matched his search, the snippet seemed to be pulled from a wedding planning site. And through Google's Ads Transparency Center, it was clear that the site's other content all had to do with weddings, not Python.

"In most ads that I see for malicious software downloads, the content matches the title. So the threat actor actually goes through the effort of creating an ad from scratch: they use a compromised advertiser account, and they create the ad with a matching URL, a matching description, and all that wasn't the case here. So I thought: Why would somebody create a title that doesn't match the description?" Segura recalls.

It turned out that some pages within the neglected wedding planning site had been injected with spam-generating malware.

The malware rewrote these pages' titles and presented visitors with a malicious PyCharm serial key pop-up. To make matters worse, Google's dynamic ads feature picked up on the malicious content, which is how it got advertised to Segura.

Were an unwitting visitor to click on the PyCharm pop-up link, they would experience "a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable," Segura explained in his blog. He speculated that the attacker may have been trying to monetize as many malware downloads as possible, for cybercrime commission payments.

Security for Small Business Websites, and Their Users

For hackers that want to take advantage of small- and midsize business' websites for their own ends, there is an untold trove of potential choices simply lying in wait.

The problem, Segura explains, is that "usually business owners don't create it themselves. They hire a Web agency to create the website for them at a particular time, and then the Web agency delivers the product, and then that's it. There's no follow up." Businesses might keep using the site, but without taking care of it on the backend.

"So what happens is, the core WordPress itself becomes out of date. And then any of the plugins that may have been used also become out-of-date. And out-of-date usually applies not just to features, but also security patches. And so those websites are just sitting ducks for anybody to crawl entire IP ranges, and then just mass compromise," he says.

Where businesses might lack the resources or wherewithal to maintain proper security, Segura thinks, Google could at least help search engine users avoid landing in traps, by flagging cases where targeted ads and website content diverge significantly.

"In this case a wedding website and an ad for a piece of software. I've seen another example that was pretty clear cut as well: for another piece of software, and the advertiser was a restaurant. That should be an immediate flag for Google, because it really does not match what the business does," he concludes.