Cybersecurity experts have issued an urgent warning to Google users about an attack that could have obtained their personal information.
The hackers purchased sponsored ad space directly from the company, posing as the tech giant’s genuine Google Authenticator site that provides users with two-factor password security protection.
The scam campaign used what looked like a legitimate Google URL, but a closer look revealed terms the company would not normally include.
Users who downloaded the fraudulent link may have allowed hackers to access their bank account details, address and personal IP address.
Experts are now urging victims to Immediately download and run a virus scanner, change all passwords and delete all temporary files.
The hackers purchased sponsored advertising space directly from the company, posing as a genuine Google Authenticator site that provides users with two-factor password security protection.
The new ad campaign, discovered by anti-malware software firm Malwarebytes, featured a Google.com URL link that had previously been a sign of assurance that the site was legitimate.
Experts have previously advised users to only click on advertising links that have a Google domain, but hackers appear to have taken note of this advice by using text modifiers and cloaking technology to mimic official sites.
The malicious ad led users to download convincing authenticator clones that were installed by a malware distribution campaign called DeerStealer that claimed the developer, Larry Marr, was verified by Google.
“The truth is that Larry Marr has nothing to do with Google and is likely a fake account,” Malwarebytes researcher Jérôme Segura, who discovered the cyberattack, said in a statement. blog entry.
“We can track what happens when you click on the ad by tracking web traffic. We see a series of redirects through intermediary domains controlled by the attacker, before arriving at a fake Authenticator site.”
Users who searched for Google products in the browser saw the ad labeled as sponsored, prompting them to click on it without concern, according to Malwarebytes.
They were then redirected several times until they landed on a fake site hosted on the developer platform GitHub.
Researchers also discovered that after clicking the “download” button, users received a pop-up window called Authenticator.exe that downloaded the malware to their computer.
Google Authenticator offers multi-factor authentication services that add a second layer of protection to Google accounts by requiring a time-based one-time password in addition to the user’s regular password.
Nearly four million people have downloaded Google’s legitimate authentication service since October 2022, according to Statesman.
Google told DailyMail.com that threat actors, such as DeerStealer, created thousands of accounts to evade detection and simultaneously modified the URL and site text and used cloaking software to show Google reviewers different websites and information than users would see.
If the fraudulent authenticator was successfully downloaded, DeerStealer would have access to your sensitive information, including addresses, passwords, and banking information, and the victim’s identity theft and IP address.
“We have to keep in mind that Google Authenticator is a well-known and trusted multi-factor authentication tool, so it is ironic that potential victims are compromised while trying to improve their security posture,” Segura said.
‘We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.’
After clicking the “download” button, users received a pop-up window called Authenticator.exe that downloaded the malware onto their computer.
The malware was verified by Google reviewers, who did not flag it as a fraudulent link.
Google did not say when the malware was first published or how many people were affected.
The company told DailyMail.com that the sponsored authenticator link was removed on July 30 after anti-malware software company Malwarebytes notified them of the fraudulent activity.
“We prohibit ads that attempt to evade our rules by disguising the advertiser’s identity to deceive users and distribute malware,” a Google spokesperson said.
“When we identify ads that violate our policies, we remove them and suspend the associated advertiser’s account as quickly as possible, as we did in this case.”
However, those who downloaded the fraudulent link could still be at risk.
Google added that it is still investigating the issue and is in the process of increasing its automated systems and the number of human reviewers to help identify and remove malicious campaigns.
While it’s difficult to spot the differences between a DeerStealer link that convincingly claims to be a “Google-verified advertiser identity,” users should look for the suspicious URL, chromeweb-authenticators.com, which only appears right before downloading the Authenticator.exe file.
However, the only guaranteed way for users to protect themselves is to not click on any sponsored links and instead scroll down to find legitimate web sources.
