Cybercriminals have increasingly targeted Google search ads to deliver malicious payloads, disguising their attacks through seemingly legitimate advertisements for well-known tools like Slack. This sophisticated tactic reflects the evolving strategies of threat actors who adeptly bypass security measures. Recent incidents have seen nearly 500 unique malvertising cases linked to Google search ads, often displaying similarities that suggest coordinated efforts by cybercriminals.
One notable attack involved a suspicious Slack ad that appeared at the top of Google search results. Although the ad initially seemed to direct users to Slack’s official website, a closer inspection revealed inconsistencies. The ad was promoting products targeted at the Asian market, which was out of context and raised suspicion, highlighting the importance of contextual detection to identify compromised advertiser accounts.
The attackers employed a “slow cooking” strategy, initially redirecting users to a legitimate Slack pricing page to avoid detection. Over time, the ad’s behavior shifted, redirecting users to a click tracker that led to a malicious domain. This domain, created shortly before the attack, hosted a page impersonating Slack and offered a malicious download link, employing cloaking techniques to evade detection.
The malicious download led to the installation of SecTopRAT, a remote access Trojan with stealer capabilities. Despite efforts by cybersecurity firms like Malwarebytes and Cloudflare to address the threat by enhancing detection and flagging phishing sites, the persistence and strategic planning of malvertisers continue to pose significant risks. Users are advised to exercise caution with ads and verify the legitimacy of websites before downloading files to protect against such evolving cyber threats.
Reference:
