There's an increasingly concerning phenomenon happening one the web right now, one that's seeing scammers buying up top ad spots on Google in order to spread malicious code. Often impersonating well known apps such as WhatsApp, they can blend seamlessly with harmless ads. Unless you know the exact URL of the app you're trying to download, you could find yourself downloading something harmful.
We've been watching phishing tactics evolve over the years, and while buying ads to impersonate free and open-source apps isn't a new method for would-be scammers, it seems to have increased along with the trend in NFT and cryptocurrency investments going on all over the internet.
When there's billion-dollar phish to be caught, you can bet they're baiting that area up good. Just this week, in fact, NFT God's 'entire digital livelihood' was drained after clicking an official-looking OBS link.
Even hardware manufacturers have been subject to this kind of mimicry, such as the fake AMD driver download link found on Google. A mirror EVGA site was spotted on Google late last year, too.
In looking into the happenings, Bleeping Computer found that a disturbing number of top Google ad positions have been taken up by phishing scams, and only some of them have actually been flagged by antivirus products.
Among them, a fake link for the bootable USB flash drive creation tool Rufus sits at the top of Google, rounded off with the word "pro" so as to make the link more attractive to potential victims. The link takes you to compressed file download, hidden behind a safe-looking file transfer service. This is known as a zip bomb, or decompression bomb, and is one of the more difficult to detect tactics.
Scammers have also been spotted using what's known as typosquatting, as in the case of "notepad-plus-plus.com" which is close enough to the expected URL that many don't suspect it as being malicious.
Other times, scammers will hide behind a seemingly legitimate tech company, as in the case of 7-ZIP, WinRAR, and VLC found on a malicious link-filled site impersonating an Indian web design company known as Zensoft Tech.
Windows 11 review: What we think of the new OS
How to install Windows 11: Safe and secure install
What you need to know before upgrading: Things to note before downloading the latest OS
Windows 11 TPM requirements: Microsoft's strict security policy
"Google uses its best efforts to review and validate the information provided by advertisers as part of these verification programs," says the company's verification terms, "but in doing so does not guarantee or assume responsibility for advertiser content or activity."
Google's own policy on abusing the ad network makes it clear that "Computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, diallers, spyware, rogue security software and other malicious programmes or apps" are not allowed to be linked through ads. This refers to both "ads and any software that your site or app either hosts or links to".
However, it also notes that "Violations of this policy won't lead to immediate account suspension without prior warning. A warning will be issued, at least seven days, prior to any suspension of your account." I suppose this is to give hacked sites a chance to get their URL back if they themselves have been made victims.
Among calls for social media companies to be held more accountable for the content posted on their sites, I'm betting web users won't put up with Google's somewhat blaise attitude on this for long.
