Google ads lead to major malvertising campaign

Google ads lead to major malvertising campaign

Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that goes mainstream and targets some of the world’s top brands.

Case in point, we recently uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.

What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar.

Hijacking traffic from on a specific user flow

The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).

Let’s say you want to load YouTube and type ‘youtube’ instead of entering the full address ‘youtube.com’ in the browser’s address bar. The first result that appears shows ‘www.youtube.com’ so you are likely to trust it and click on it:

Hijacking traffic in such a way is a clever and likely profitable scheme outlining some of the issues and abuses associated with the placement of ads versus organic search results.

The top searches we have seen for malware-laden ads in this campaign are:

  • youtube
  • facebook
  • amazon
  • walmart

Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them.

Cloaking and other violations

The technique used to divert traffic for malicious purposes is known as cloaking and is based on two prerequisites:

  • User looks fake (non residential IP address, wrong user-agent string or simply a crawler)
    • A redirect to the requested website will take place
  • User looks legitimate
    • A redirect to a different site and different content happens

As per Google, “Cloaking is considered a violation of Google’s Webmaster Guidelines because it provides our users with different results than they expected.” Again, based on Google’s policy violation a buyer that uses a creative (ad) containing malware can be suspended for a minimum of three months.

Traffic and redirects

There is a short chain of redirects leading to the browser locker. In this section we will take apart another malicious ad for Facebook this time. The ad is of course quite misleading as there is nothing that indicates that clicking on it would redirect anywhere else but to the requested website. Note how it appears before the top organic search result, guaranteeing a higher click rate.

The redirection mechanism is engineered in such a way that static analysis of the HTML code is difficult and does not give away the browser locker URL easily.

First redirect

This page determines whether to load decoy content (in this case the legitimate Facebook website) or a secondary script on the same attacker-controlled infrastructure.

Second redirect

This is where the browser locker URL is found and we can see that the threat actors don’t actually want to make a formal redirect but instead are loading it within an iframe.

When the page is rendered, the main address bar still shows the .com (cloaking domain) while the content is actually loaded from an iframe (100% width and height) from a disposable CloudFront URL.

Multiple cloud platforms affected

Below are examples of malvertising chains we have observed using slightly different variations but that we believe are related to the same threat actor. They used a clever approach by adopting different flows for the cloaking and browser locker such that detecting and taking down one would not impact the overall campaign.

Specifically, we see the threat actor using more expensive domains mixed with disposable domains on shady TLDs. For infrastructure, again they diversified between paid VPS on hosting companies and free cloud providers (PaaS).

Traffic flow – case 1 : throwaway domains

  1. Google search: google.com/search?q=walmart&{…}
  2. DoubleClick ad network: ad.doubleclick.net/ddm/clk/{…}
  3. Cloaking domain: ssgvbcxcc[.]ga/?url=https://www.walmart.com/ip/{…}
  4. Browser locker: prolesscodenet856[.]ml/erxczzxEr0rgdxvngEr0hjhvhhxEr0cbchk0252infoyxZdzc

Traffic flow – case 2: IP address

  1. Google search: google.com/search?q=walmart&{…}
  2. Ad platform: clickserve.dartsearch.net/link/click?_v={…}
  3. Cloaking domain: gettouy[.]org/t2/?url=https://www.walmart.com/ip/{…}
  4. Browser locker: 159.203.183[.]136/windowsecurity/

Traffic flow – case 3: Digital Ocean PaaS

  1. Google search: google.com/search?q=facebook&{…}
  2. Ad platform: clickserve.dartsearch.net/link/click?_v={…}
  3. Cloaking domain: playcrpm[.]com/?url=https://www.facebook.com/f{…}
  4. Browser locker: starfish-app-irxap.ondigitalocean[.]app/{…}&number=1-866-896-0189{…}

Traffic flow – case 4: Azure cloud

  1. Google search: google.com/search?q=zillow&{…}
  2. Ad platform: clickserve.dartsearch.net/link/click?_v={…}
  3. Cloaking domain: vlt[.]me/.2zqd4/?url=https://www.zillow.com/?url={…}
  4. Browser locker: wdq23r2fdadqwdqwdfwedadasasd.azurewebsites[.]net/fC0deJdfd008f0d0CH888Err0r80dBG88/index.html

Reporting and protection

As far as we can tell, these different campaigns have been going on for several weeks already. Although we don’t have statistics to figure out how many people were exposed, we can infer that the number was high based on a couple of factors:

  • The ads target popular keywords (which also indicates that the threat actors are not opposed to paying a premium)
  • We were able to replay the malvertising chains in our lab multiple times (live replays of malvertising on high profile sites is usually difficult)

We reported the malicious ads and flagged them under the “An ad/listing violates other Google Ads policies” category.

We also shared and are currently sharing the cloaking domains infrastructure with relevant parties. The browlock domains themselves have such a short lifespan that it is practically useless to act upon them.

Meanwhile, Malwarebytes users were already protected against this campaign. Users can also turn on the gTLD domains block in the settings for our Browser Guard browser extension.

Indicators of Compromise

eauxedrill[.]com
shopmealy[.]com
aeowqpeqwpa924[.]ga
ejdcvvdhsjdj[.]ml
feopqwoeqw245[.]ga
iowqepwoqe425[.]ga
rasteringfileweb539[.]ga
rsgdkffvsjkoavd[.]ml
ssgvbcxcc[.]ga
gettouy[.]org
getcdprm[.]org
playcrpm[.]com
monhomedecore[.]com
allnewz[.]site
vlt[.]me
youtubelinktrack[.]live
morth[.]buzz
abhihomeabh[.]com
kalarahulshet[.]com
tevarsingh[.]com
bhtl[.]digital
cduitiek[.]tk

ABOUT THE AUTHOR