Posts: 830 +33
PSA: For many, Google is the most straightforward way to find specific software, but malicious actors have made this dangerous over the last few months. If you click on one of the top Google results (usually an ad, not a top result) after searching for specific popular programs, the link might lead to an impersonator delivering malware.
Googling programs like MSI Afterburner, Bitwarden, Grammarly, Blender, Gimp, Adobe Reader, Microsoft Teams, OBS, Slack, Thunderbird, and many others lately can bring up promoted search results controlled by hackers. Malvertising campaigns impersonating those brands have subverted Google Ads since at least December.
The top Google search results for software and other products tend to be advertisements that give Google customers ad clicks while taking users to relevant sites of interest. However, malicious impersonators found a way to bring targets to their malware from search results while evading Google's detection.
Guardio Labs notes that threat actors create harmless advertising sites to feature on Google Ads that redirect users to malicious websites. The fraudulent page looks identical to the software's official download site. The trick is that the redirect only occurs when human users click the ads. Crawlers, bots, Google's policy enforcers, or anyone else who directly enters the URL the ad displays will only see the harmless advertising site. Thus, the rogue sites are invisible to Google.
Furthermore, the malware payloads often don't download directly through the browser. Instead, they might hide in GitHub, Dropbox, or Discord to decrease the odds of antivirus programs catching them. Some of the malware from the false advertising will appear digitally signed from Microsoft, Acer, DigiCert, Sectigo, or AVG Technologies USA. They use a combination of these and other techniques to avoid detection.
The malware involved in these campaigns includes Formbook, IcedID, MetaStealer, and others. Last month, some users who searched for Bitwarden encountered sponsored Google links leading to phishing pages that tried to steal their master passwords.
What Google sees (top) versus what actually happens (bottom).
In December, the FBI warned users about Google malvertising, admitting that ad blockers are an effective but controversial solution. If you have to use a search engine to find a software download, avoid clicking on results with the word "ad" next to them.
Until Google Ads responds to the malvertising campaigns, users should find other ways to look for software. TechSpot readers should know that we offer safe downloads for many free programs like the ones mentioned in this article. Other tech sites do as well. The Wikipedia pages for programs also often include links to their official websites.