Cybercrime

Threat actor impersonates Google via fake ad for Authenticator

Posted: July 30, 2024 by Jérôme Segura

We have previously reported on the brand impersonation issue with Google ads: users who search for popular keywords are shown malicious ads that purport to be from an official vendor.

Not only does this trick innocent victims into downloading malware or losing their data to phishing sites, it also erodes trust in brands and by association in Google Search itself.

Today, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.

A similar distribution site and the same payload were previously discovered by sandbox maker AnyRun. In this blog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in tricking users into visiting a decoy website.

Trust, but ‘verified’?

The core issue with brand impersonation comes from ads that appear as if they were from official sources and advertisers’ identities verified by Google. This was the case here with this ad for Authenticator:

The truth is Larry Marr has nothing to do with Google, and is likely a fake account. We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.

Fake site leads to signed payload hosted on Github

The fraudulent site chromeweb-authenticators[.]com was registered via NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day as the ad was observed.

Looking at the site’s source code, we can see the code responsible for downloading Authenticator.exe from GitHub. Note the comments from the author in Russian:

Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate. In fact, anyone can create an account and upload files, which is exactly what the threat actor did under the username authe-gogle, creating the authgg repository that contains the malicious Authenticator.exe:

Looking at the file itself, we can see that it has been digitally signed by “Songyuan Meiying Electronic Products Co., Ltd.” just one day before, and the signature is still valid at the time of writing:

The malware, DeerStealer, is a kind of stealer that will grab and exfitrate your personal data via an attacker-controlled website hosted at vaniloin[.]fun.

Conclusion

Threat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites. Since the whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real advertisers from fake ones.

As we saw in this case, some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.

We should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.

• List of companies of interest to you. For more information, click on the company name.

LNN Ptltr Travel Brands – Ring and 100	travelpayouts
The biggest Black Friday sale ever! You’ll love these great deals that have been carefully selected just for you.	hostinger
12% Cash Back for Black Friday	rakuten cash back
The #1 Most Powerful Business Suite with No Feature Restriction…. Without the High Costs	pabbly
Our Mission is to make you and the rest of the YouTube Community a happier, more productive bunch.	tubebuddy

A channel specialized in publishing all the winning groups ranked to 5 and presenting them to the dear viewer with all credibility and professionalism.

Top 5 Places to Visit in 2024

Where to go in 2024? There are many countries in the world where you can spend a quality vacation, have a good rest at the sea or walk every day in search of attractions. We have selected the most interesting travel destinations in 2024.

Elevate your culinary adventure with Michelin Guide dining in İstanbul, İzmir and Bodrum

Known for its rich culinary heritage and wealth of regional gastronomy highlights, Türkiye is a real treat for travelling gourmands. Its range of award-winning restaurants is testament to this, with more than 100 restaurants across three cities now recognised by the Michelin Guide 2024. From once-in-a-lifetime dining experiences in one and two-Michelin star venues, to memorable meals for less in Bib Gourmand-awarded eateries, and fantastic field-to-fork fare prepared by Michelin Green Star-awarded kitchens, a world of local culinary masters beckons.

Read on to discover the wealth of award-winning restaurants in İstanbul, İzmir and Bodrum, worth planning your entire trip around. As we say in Turkish: “Afiyet Olsun”.

Embark on a tasting tour de force in hip and happenin’ Istanbul

Set at the crossroads of two continents—Europe and Asia—İstanbul combines the best of both worlds in a tour de force of tasting opportunities. From “new Anatolian cuisine” on the rooftops of high-profile dining districts, like Beyoğlu, to boundary-pushing fusion with the cool crowd in the dining rooms of Etiler, and upscale field-to-table mezze with striking Bosphorus views in Ulus, the city’s sheer variety of top-rated restaurants are a sumptuous showcase of multicultural Turkish cuisine.

Splurge on a meal of a lifetime at Istanbul’s only 2 Michelin star-restaurant, Turk Faith Tutak, whose superb 8 or 12-course tasting menu is a labour of love for the Turkish terroir. Raise a glass to your trip over a meal of a lifetime at one of the city’s six 1-star Michelin restaurants—from upscale artisanal eats at Nicole, to meticulously-prepared sushi, sourced from the local waters at Sankai by Nagaya. And make every meal an occasion as you eat your way around the 14 Bib Gourmand-awarded eateries, chosen for their exceptional value and quality local ingredients. Whether it’s the fantastic Turkish breakfast at Cuma, tucked away in the trendy Çukurcuma district, or classical kebab with a twist on the scenic terrace of Tershane, it’s easy to see how the capital has earned its nickname as “the tasting room of the world.”

clice Her

1000A power bank.

• Get Code
• Zoro.com
• 2% Cash Back
• Take 15% off Heating & Cooling.

Specifications:

Model name: GigaToy Pump

Size (mm):5048

Material: ABS

First speed pressure (kpa): (kpa): (kpa)

First gear endurance (min):15 min

Second gear pressure (kpa): (kpa)

Second Endurance (min):25 min

Brightness/use time 40lm/20hrs, 200lm/10hrs, 400lm/2.5hrs

Waterproof grade: IPX4

Charging time (h): , (h)

Battery Capacity (mAh):, mAh

Output voltage:, V

Charging voltage: 5V/1A

Maximum power (W):, W W

Charging port: Tapy-C

Charging indicator light, the battery level is below, and the red light is always on.

The red light is always on when charging, and the green light is on when fully charged”

Package list:

1*Air pump

5*Different gas nozzles

1* Type C cable

1*Fabric bag

1*User’s manual

Get savings