Google’s advertising network has been found serving a malicious ad that might end up seeing users have their identity data (opens in new tab) and other sensitive intel stolen.
Hackers have reportedly managed to trick Google Ad Manager into serving a fake ad for popular photo editor GIMP, meaning those who wanted to download the program only ended up with a potent infostealer called Vidar.
Whenever a victim typed in “GIMP” or a similar keyword in Google’s search engine, they’d be presented, among other things, with an ad showing GIMP’s official website – GIMP.org. However, actually clicking on the ad would not send the victim to that particular domain, but rather to gilimp.org, or gimp.monster. There, they’d be offered to download a 700MB-large file, an overinflated executable that’s actually just 5MB in size – the Vidar infostealer.
Tricking the system
How this was possible is still not entirely certain. While some researchers think the threat actor used the IDN homograph technique to make the Cyrillic gіmp.org – typed as http://xn--gmp-jhd.org/, appear as gimp.org in the Latin alphabet, others are of the opinion that the trick is actually far less elaborate.
In fact, BleepingComputer reports that Google lets publishers create ads with two different URLs – one to serve to the viewers, and the other one where they’ll actually be taken. Allegedly, Google’s pretty strict with these things allowing, for example, only those that use the same domain. How, or why, the Ad Manager allowed this particular campaign to go live is unknown. Google is still silent on the matter, and we’ll update the article if the search giant decides to elaborate.
Vidar is a known infostealer capable of grabbing browser (opens in new tab) information (passwords, cookies, stored credit card information, and similar), cryptocurrency wallet information, Telegram credentials, file transfer application information, and plenty of other sensitive data.
Via. BleepingComputer (opens in new tab)