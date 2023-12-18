You search for something on Google, and the first, usually promoted, result clearly seems like the good one. And then you click on it. And then you get into trouble.

This is what cybersecurity experts at Malwarebytes have been warning about for some time, who first detected the problem with false advertisements from the Webex videoconferencing platform, and who later revealed that this was only the beginning of a new cybersecurity threat that already has a name: malvertising.

The technique consists of publishing false advertisements that impersonate the identity of companies and that they manage to place as the first result thanks to the operation of Google Ads.





Be careful with that sponsored result. It may take you to a website that looks legitimate, but is actually not. If you want to make sure, you can click on the three vertical dots that appear to the right of the URL under the result.





By doing so you can verify the identity of the advertiser. In this case it is Disney, so the advertisement and the result are legitimate.

According to the analysis of these experts, there are specialized services that allow these attacks to be successful and that serve to “infect” users with a new malware family called PikaBot which began its activity at the beginning of 2023.

Although initially the distribution of Pikabot was carried out through a malicious email message, now its distribution is also carried out through malvertising. A cybersecurity researcher named Colin Cowie already observed this problem with AnyDesk software ads a few days ago.





Malvertising campaigns make theoretically legitimate promoted search results actually a potential threat.

Malware Bytes quickly verified that the advertiser responsible for that campaign was not AnyDesk, but a fake identity called “Manca Marina.” Although the URL that appears under the result “https://www.anydesk.com” is the real one, The URL to which that ad led was very different Yes, it copied the design of the official website.





Everything seems fine until you look at that URL. Something is wrong.

If you don't pay attention and click on the “Download Now” button, what you do is download malware through an MSI installer which was not even detected by VirusTotal according to Malware Bytes. These experts explained the complex mechanism to avoid detection, and although it is to be expected that these downloads will also end up being detected by that and other antivirus platforms, the real problem is in Google Ads.

The firm explained how cyber attackers who use these techniques have managed to overcome Google's security controls through a legitimate marketing platform that allows them to redirect ads to special—and dangerous—domains through Cloudflare.

These incidents have already been reported to Google, but as Malware Bytes reveals, malvertising thus becomes a “powerful delivery vector.” [de malware] which does not require the user to visit a compromised website. Instead, threats They take advantage of search engines and they simply buy ads that they know their targets will be exposed to.”

For this company, a good solution is to offer applications only “through trusted repositories”, while other cybersecurity experts such as Will Dormann They gave two pieces of advice. The first, never click on a Google Ads advertising link. The second, “use an adblocker It's good safety hygiene. There's nothing to feel guilty about.”

At Xataka we have contacted Google to try to gather more information about these threats. We will update this article if we receive more details.

