A new malvertising campaign has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads.
"Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it," Jérôme Segura, director of threat intelligence at Malwarebytes, said in a report.
"Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead."
The infected website in question is an unnamed online portal that specializes in wedding planning, which had been injected with malware to serve bogus links to the PyCharm software.
The execution of the PyCharm installer results in the deployment of several stealer and loader families, such as Amadey, PrivateLoader, RedLine, Stealc, and Vidar, a deluge that renders the infected system completely unusable.
Per Malwarebytes, targets are directed to the website using Dynamic Search Ads, an ad offering from Google that programmatically uses the site's content to tailor targeted ads based on the search terms.
"When someone searches on Google with terms closely related to the titles and frequently used phrases on your website, Google Ads will use these titles and phrases to select a landing page from your website and generate a clear, relevant headline for your ad," Google explains in its support documentation.
As a result, a threat actor with capabilities to alter the website's content could also make the ad campaigns a lucrative tool for abuse, effectively serving Google Search users ads that can result in unintended behavior.
"What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad," Segura explained.
The development comes as Akamai detailed the infrastructure behind a sophisticated phishing campaign targeting hospitality sites and their customers.
"The campaign is a global threat, with a notable amount of DNS traffic seen in Switzerland, Hong Kong, and Canada," the company said.
"Although the campaign was initially thought to have been active only since September 2023, the domain registration shows domain names being registered and queried as early as June 2023."