Hackers are using Punycode to create authentic-looking URLs in Google ads

[Cal Jeffrey]

In context: Google's search ads are already deceptive enough. Sure, they are marked with a "sponsored" indicator, but they still appear as a legit search result that could trick the inattentive into clicking an ad when they only wanted information. What makes matters worse is that bad actors have figured out multiple ways to abuse these faux search results to scam people.

A common tactic for getting people to download and install malware is to trick them into clicking a search ad disguised as the legit company that makes the desired software. Malwarebytes reports that attackers now use Punycode in Google Ads to make their URLs look even more authentic.

This tactic is called a "homograph attack" because it uses Unicode characters of non-Latin scripts, like Cyrillic, Arabic, Greek, Chinese, and others, to create a cloned URL that leads to a scam website. Malwarebytes points to a recently found malicious Google ad for the KeePass password manager as an example.

Previously, attackers would use subdomains and extensions similar to the site they were mimicking to trick users into clicking, but these are pretty easy to spot. However, by translating a URL into Punycode, bad actors can create an address that looks completely authentic.

As you can see in the image above, the bogus URL looks identical to the authentic one below it. This trick is sneaky enough to fool the most attentive and tech-savvy users. The only giveaway appears after clicking the bogus ad and going to the malicious website. Once there, the browser's address bar will show the address in Unicode, giving the ruse away. Unfortunately, unless the user knows it could be a scam, most won't even look at the address bar, especially when the website that appears is nearly identical to the software company's.

However, even looking at the Unicode address in the browser, users could still miss the subtle visual cue if they aren't looking carefully. Notice in the image below how the only difference between the legit address on the left and the bogus one on the right is the tiny symbol under the 'k.' Users could easily miss this sign or dismiss it as a speck on their monitor.

Homograph attacks have been around for a while, but this is the first time Malwarebytes has seen it used in conjunction with Google ads. Unfortunately, there's no simple fix, especially if attackers use other techniques to make their fake sites seem real.

Your best bet is to avoid clicking search result ads when looking for software. It's best to go directly to the company's website and look for the software straight from the source or use a trusted mirror like TechSpot Downloads. We authenticate all our downloads, scanning the software locally and through VirusTotal to ensure they are malware-free.

Bottom line: Avoid clicking ads in Google search results. We have issued similar warnings that they can't be trusted. At the least, you are handing Google your ad preferences to add to your existing (and likely extensive) advertising profile. At worst, you could land on a website that means to do you harm. Until Google figures out a way to prevent bad actors from abusing its ad platform, there is really no legitimate reason to click on their ads.

Permalink to story.

https://www.techspot.com/news/100604-hackers-using-punycode-create-authentic-looking-urls-google.html

 

[Theinsanegamer]

All the more reason it is morally right to block ads.

 

[yRaz]

All the more reason it is morally right to block ads.

I was just thinking, "and google wants us to disable adblocker on YouTube why?"

At this point, the choosing between "Disable your adblocker or stop using our services" is pretty obvious. Google and it's services have become a liability without an adblocker.

As a side note, I was talking with someone who works in data analytics for a marketing company. They said that Google sells your data multiple times to multiple data brokers and our data is worth about $2000 a year. They went on to explain to me that simply using social networks and free services generates a combined $2000-5000 a year for various companies.

These companies collect our data, data brokers buy it from them and combine it in a way that it can be packaged and sold to marketing companies. Then the marketing companies(ironically, using the data they bought to see what business don't have access to this kind of data) use that data to target customers for companies.

Some of what he talked about goes into conspiracy theory territory but they use the data to build a sort of neural profile that's surprisingly accurate. He went on to explain that this is why many people feel like they're seeing ads for things they never searched for or that their phone is listening to them. He also said some of the location based tracking that we allow on our phones is so accurate that it can tell what isle you're in at a Target or Walmart and send you ads based on products you spent the most time around.

I have a hard time believing it but I don't have a better explanation for it

 

[FF222]

This is news from like 15-20 years ago, when punycode support was first implemented in major browser. What has changed now that it got newsworthy again?

 

[FF222]

All the more reason it is morally right to block ads.

That's like saying that because you've been mugged once on the street it is morally right to steal from the store. One literally has nothing to do with the other. By blocking ads you're harming those who did nothing wrong to you, and not those who'd want to do bad things to you.

Of course we both know this is just a bad attempt at looking for an excuse for a morally bad thing you'd do anyway.

 

[kiwigraeme]

This is news from like 15-20 years ago, when punycode support was first implemented in major browser. What has changed now that it got newsworthy again?

dementia for us older ones, plus some of us we only born a few years ago

I didn't know to look for that K or punycode specifically I would naturally pick up french , german accents - yes most of us know - misspelled , wrong endings etc
This is ultimately a search engine problem - in this case Google to protect the populous.

 

[Theinsanegamer]

That's like saying that because you've been mugged once on the street it is morally right to steal from the store. One literally has nothing to do with the other. By blocking ads you're harming those who did nothing wrong to you, and not those who'd want to do bad things to you.

Ummm.....no. That's a terrible comparison.

By blocking ads I am protecting myself from malicious links that are spread by the multi billion dollar ad company (that makes thousands selling your personal data over and over) that cant secure its own platform, links which can spread malware that can compromise your PC and steal your data. (ad networks are the #1 vector for infection today BTW)

It'd be more apt to say "look I know one woman at the brothel has syphilis, but that doesnt mean they ALL do, and if you wear a condom you're depriving them of pleasure! Plus, you're not protecting yourself from the infected one anyway" which is still hilariously dumb, but at least is more apt to your argument, wrong as it is.

Of course we both know this is just a bad attempt at looking for an excuse for a morally bad thing you'd do anyway.

OH WONT SOMEONE THINK OF THE POOR MEGACORP!

Pro tip, /r/bootlicking is that way ---->

 

[Hotlynx16]

Another reason not to use Google!!

 

[FF222]

Ummm.....no. That's a terrible comparison.

So, obviously you don't know what a comparison is. I guess you meant "parallel" anyway, but that wasn't it either. Instead it's simply a fact that by blocking ads indiscriminately you're harming the people who create the content you consume. Not the megacorps, because they are not the creators, and they're not the ones who invested vast amounts of money and time into creating all the content. Google, Facebook, etc. make more and more money every year, while small publishers crumble and go out of business in masses.

So, by blocking ads you're actually just helping the megacorps get even bigger, while driving out small businesses and honest people. In short, you're doing the exact opposite of what you supposedly want.

Then again, we all know you just want to have everything your way (at least in this regard, because you're at the mercy of others in every other regard) and not have to think. And that's exactly what megacorps take advantage of and thrive on. The sheer shortsightedness of Average Joes.

The fact that blocking ads will not protect you from malicious links, because you know, links exist also outside of ads, and actually most links exist outside of ads, or because ads can't do anything than regular web pages couldn't do anyway, is really just the icing on the cake. However, it makes again obvious how futile and counter-productive ad blocking is, which in the end achieves nothing or just the exact opposite of what's intended by the clueless masses.