Hackers are once again leveraging Google Ads to spread malware, with a new campaign targeting macOS and Linux users through a fake Homebrew website. The campaign utilizes a fake URL, “brewe.sh,” designed to deceive even the most experienced users by appearing to link to the legitimate Homebrew project. When users visit this site, they are prompted to execute a command that appears to install Homebrew, but instead, it installs the AmosStealer malware. This malware is an infostealer that specifically targets over 50 cryptocurrency extensions and web browser data, stealing sensitive credentials and information.
The malicious Google ads redirect users to the fake website, which replicates the legitimate Homebrew installation page.
Once users execute the command on their system, the malware is downloaded and activated, allowing the hackers to access sensitive information. AmosStealer is known for its ability to harvest various types of valuable data, including stored passwords and cryptocurrency wallet information. The malware is offered as a subscription service to cybercriminals, further emphasizing the scale and sophistication of these attacks.
Security researcher JamesWT identified the malware in this campaign and highlighted its dangerous capabilities. Homebrew’s project leader, Mike McQuaid, has acknowledged the situation, expressing frustration over the recurring issue and criticizing Google for its failure to prevent such malicious activity in ads. McQuaid stated that although the ad was eventually taken down, the use of deceptive URLs continues to be a problem, with no reliable solution in sight. The Homebrew team has also expressed concern over the lack of action from Google to address these ongoing threats.
As the malicious ads have been removed, users remain at risk of similar campaigns through other deceptive domains. To protect themselves, Homebrew users are advised to be cautious when clicking on sponsored ads and to verify that they are visiting the legitimate Homebrew website. Additionally, users are encouraged to bookmark trusted sites to avoid falling victim to fraudulent ads in search results, ensuring that they only download software from verified and secure sources.