The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.
In today’s public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search result pages and link to sites that look identical to the impersonated company’s website.
“When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result,” warns the FBI.
“These advertisements link to a webpage that looks identical to the impersonated business’s official webpage.”
When searching for software, the FBI says advertisements will link to websites with a download link to software named after the impersonated application.
The FBI advisory also warns about ads promoting phishing sites that imitate finance platforms and, more specifically, cryptocurrency exchange platforms that invite visitors to enter their account credentials.
Once credentials are entered on these phishing sites, they are stolen by threat actors who use them to steal funds or sell them to other threat actors.
BleepingComputer recently helped reveal a massive typosquatting campaign using over 200 websites impersonating software projects, cryptocurrency exchanges, and wallet platforms to push Windows and Android malware.
Earlier in the year, a site impersonating the GIMP image editor used malvertising to drop the Vidar info stealer on its unsuspecting visitors.
While these advertisements looked like they were promoting the actual gimp.org website, as shown below, they redirected users to a different site pushing malware.
In another case from March 2022, operators of the Mars stealer abused Google Ads to promote a malicious Open Office lookalike site to distribute their malware.
More recently, the SANS ISC disclosed an AnyDesk malvertising campaign on Google Search that dropped IcedID malware instead of the popular remote desktop app.
How to protect yourself
The most crucial precaution when looking for something online is not to click on the first thing that appears on the search results without checking its URL.
As the first few results on a given search term are usually promoted ads, it is safer to skip them and scroll down until you see the project’s official website search result and use that instead.
“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” warns the FBI.
Furthermore, even checking the link may only sometimes help, as threat actors can create advertisements to display a legitimate URL but redirect users to cloned sites under the attacker’s control.
Another recommendation is to use ad-blockers, which filter out promoted results on Google Search.
If you visit a website frequently, it would be better to bookmark its URL and use that to access it instead of searching for it every time.