Huge Increase in Malicious Advertising on Google

[MalwareTech]

It seems like after Microsoft moved to limit Office Macros, there has been a resurgence in other techniques such as malvertising and iso attachments. 

Recently there was a viral thread about some NFT dude getting hacked by a fake OBS (popular streaming software) ad that appeared above the real website in Google search results. A bunch of different people have done digging and found an insane number of malicious ads impersonating OBS, Audacity, and more.

Here is a list from https://raw.githubusercontent.com/CronUp/Malware-IOCs/main/2023-01-17_Arechclient2_GoogleAds

tecinnovations.online
tecinovations.pw
tecinnovation.space
techinovation.online
techinovation.website
techinovation.site
tecinnovation.fun
techinovation.fun
tecinnovation.online
tecinnovation.website
techinovation.space
tecinnovation.site
vilc.site
audasite.site
audacslty.site
odstraeming.site
odstraeming.space
glmps.site
audasite.website
audasite.online
audasite.space
odstraeming.fun
ostreeming.website
ostreeming.fun
ostreeming.site
odstraeming.online
obmprolect.com
godstreamsview.site
godstreamsview.online
obcproect.site
godstreamsview.website
godstreamsview.fun
godstreamsview.space
odstraeming.website
ostreeming.online
obsproect.site
ostreeming.space
godstreamsviews.online
godstreamsviews.website
godstreamsviews.site
godstreamsviews.space
obcprolect.com
godstreamsviews.fun
odstreamsviews.online
odstreamsviews.website
odstreamsviews.space
odstreamsviews.fun
docstore.app
sgparroquial.app
odstreamsviews.site
qobstreamsviews.space
qobstreamsviews.site
qobstreamsviews.online
qobstreamsviews.fun
qobstreamsviews.website
obsspro.website
obsspro.site
qobstreamsview.website
qobstreamsview.online
qobstreamsview.fun
qobstreamsview.site
obsspro.online
obstremsview.online
obstremswiev.space
obrproject.com
obpproject.com
obstremswiev.site
obstremswiev.online
obstremswiev.fun
oblproject.com

In some cases people have for 5+ malicious Ads in the same search, all of which rank higher than the real website. A lot seem to lead to redline stealer or other infostealers. 

More info: https://www.bleepingcomputer.com/news/security/hackers-turn-to-google-search-ads-to-push-info-stealing-malware/

Stay safe out there and probably get an Adblocker!

[ludiofines]

great list. let me add it to my filter. On the other hand it's insane how people are tired and do not really understand what they see on a search engines' results. first entry they see in the result list they click without hesitation. Every time i watch a friend browsing on his mobile i get chills when they click on "Sponsored Ads" links... 😭

[CyberValken]

I feel like there will eventually be some level of government investigations into this (which of course is its own level of a joke). The big tech companies have already faced scrutiny over the years. Allowing people to buy ads to boost malware seems like a huge blind spot in whatever processes they follow, which of course, leads down a rabbit hole of the role of money buying spotlight/visibility to share information (whether ‘good’ information or ‘bad’ information, etc.). 

The good news is the constant change up of delivery techniques will always keep me employed. ☠️

[rylancole]

Is this issue also seen on Bing and other search engines or are malvertisers just targeting Google for the large market share? 

[DrDisexon]

On 1/19/2023 at 12:09 AM, MalwareTech said:

It seems like after Microsoft moved to limit Office Macros, there has been a resurgence in other techniques such as malvertising and iso attachments. 

Recently there was a viral thread about some NFT dude getting hacked by a fake OBS (popular streaming software) ad that appeared above the real website in Google search results. A bunch of different people have done digging and found an insane number of malicious ads impersonating OBS, Audacity, and more.

Here is a list from https://raw.githubusercontent.com/CronUp/Malware-IOCs/main/2023-01-17_Arechclient2_GoogleAds

tecinnovations.online
tecinovations.pw
tecinnovation.space
techinovation.online
techinovation.website
techinovation.site
tecinnovation.fun
techinovation.fun
tecinnovation.online
tecinnovation.website
techinovation.space
tecinnovation.site
vilc.site
audasite.site
audacslty.site
odstraeming.site
odstraeming.space
glmps.site
audasite.website
audasite.online
audasite.space
odstraeming.fun
ostreeming.website
ostreeming.fun
ostreeming.site
odstraeming.online
obmprolect.com
godstreamsview.site
godstreamsview.online
obcproect.site
godstreamsview.website
godstreamsview.fun
godstreamsview.space
odstraeming.website
ostreeming.online
obsproect.site
ostreeming.space
godstreamsviews.online
godstreamsviews.website
godstreamsviews.site
godstreamsviews.space
obcprolect.com
godstreamsviews.fun
odstreamsviews.online
odstreamsviews.website
odstreamsviews.space
odstreamsviews.fun
docstore.app
sgparroquial.app
odstreamsviews.site
qobstreamsviews.space
qobstreamsviews.site
qobstreamsviews.online
qobstreamsviews.fun
qobstreamsviews.website
obsspro.website
obsspro.site
qobstreamsview.website
qobstreamsview.online
qobstreamsview.fun
qobstreamsview.site
obsspro.online
obstremsview.online
obstremswiev.space
obrproject.com
obpproject.com
obstremswiev.site
obstremswiev.online
obstremswiev.fun
oblproject.com

In some cases people have for 5+ malicious Ads in the same search, all of which rank higher than the real website. A lot seem to lead to redline stealer or other infostealers. 

More info: https://www.bleepingcomputer.com/news/security/hackers-turn-to-google-search-ads-to-push-info-stealing-malware/

Stay safe out there and probably get an Adblocker!

I boycott google chrome

[NeonPayload]

As if you needed another reason to install ad-block.

[DrDisexon]

I heard recently one note document are getting fired up

 

[0xAEN]

On 1/26/2023 at 2:21 PM, DrDisexon said:

I heard recently one note document are getting fired up

 

yeah we seen an increase of onenote attempts of phishing, usually they hide the malicious link under a layer of picture making you double click to open the link.