A sophisticated malware campaign exploiting Google's advertising platform has been uncovered by cybersecurity researchers from ANY.RUN, which is a malware analysis and threat intelligence provider. The campaign delivers a newly identified information-stealer, dubbed "DeerStealer" which targets users searching for Google Authenticator.
Google's authenticator app is often used to provide an additional layer of security and is the second part of a two-factor authentication (2FA) strategy. Users looking to increase their security will conduct a general search for authentication apps and are the intended victims of this particular attack.
The attack chain begins with malicious advertisements appearing in Google search results. These ads display legitimate Google domains to increase credibility. Users who click on these ads are redirected through multiple sites, ultimately landing on malicious domains such as "chromeweb-authenticators.com". These fake websites will prompt users to download an executable file named "Authenticator.exe" which contains the DeerStealer malware. To avoid further detection, the file is hosted on a GitHub repository and signed by seemingly legitimate companies like Reedcode Ltd.
DeerStealer is a modern information-stealing malware capable of extracting credentials, cookies, and other sensitive data from web browsers. It primarily targets Windows systems and represents a significant threat to user privacy and security.
Google has responded by blocking the fake advertiser and is working to enhance its detection systems. In 2023, the company removed 3.4 billion ads and suspended 5.6 million advertiser accounts as part of its ongoing security efforts. "DeerStealer Malware Exploits Google Ads to Target Users" www.kxan.com (Aug. 06, 2024)
Commentary
These threats to your desktop and mobile computing devices again highlight the need to practice safe computing. Such practices include installing security software, including anti-virus and anti-spyware software, pop-up blockers, and maintaining a firewall on all computers and devices.
Users are advised to exercise caution when clicking on promoted search results, use blockers, verify download URLs, and scan all downloads with updated antivirus software. Ideally, users should never download software or apps from any third-party source. Only the official app store for their operating system should be used, but remember that app stores can also contain rogue apps with malware.
In the type of attack set out above, users searching for security applications should not simply click on the first link presented in a search result. Cybercriminals are counting on users being in a hurry, lazy, or simply unobservant. Doing so could result in a user clicking on the bogus links described above. Instead, continue scrolling until the official Windows, Android, Apple, or Mac website is found which contains the type of software or app sought.
If you suspect malware has infected your desktop or mobile device, disconnect it from the internet, and stop doing things that require passwords or personal info, such as online shopping or banking until the virus has been removed.