Malware Delivered through Google Search
Criminals using Google search ads to deliver malware isn’t new, but Ars Technica declared that the problem has become much worse recently.
The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.
[…]
It’s clear that despite all the progress Google has made filtering malicious sites out of returned ads and search results over the past couple decades, criminals have found ways to strike back. These criminals excel at finding the latest techniques to counter the filtering. As soon as Google devises a way to block them, the criminals figure out new ways to circumvent those protections.
Austin • February 7, 2023 9:01 AM
Google has had this problem for ages. The only successful ransomware incidents at my company years back came from users clicking Google search ads for the website they were trying to get to. Users searched “amazon.com” trying to get to amazon.com and the first line was an ad for Amazon store but took you to a page running exploits. Thankfully it did not spread between machines. We reported it to Google 7 times in 2 days. Eventually chrome safe browsing blocked the page but the ad was still there for a few days.
Similarly, a friend’s business was robbed by a criminal after they had problems with quickbooks and searched google for quickbooks support. The first listing was an ad for with a phone number so they called. A “technician” immediately answered and began helping them. He had them start remote support and then started doing various exports and command line actions. He said he needed 2nd tier support and would contact them to schedule on the next business day. Four hours later, the bank called asking why they had emptied all their accounts. When I got involved, we could easily get the ad to come up again and reported it but it remained for 11 days.
It is rampant. We teach our users that they should never click advertisements in google search.