Google Ads | Breaking Cybersecurity News | The Hacker News

Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead. Cybersecurity company Securonix is tracking the ongoing activity under the name  SEO#LURKER . "The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a report shared with The Hacker News. The threat actors are believed to leverage Google's Dynamic Search Ads ( DSAs ), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site. The ultimate goal of the complex multi-stage attack chain is to entice users into clicking on the fake, lookalike WinSCP website, winccp[.]net, and download the malware. "Traffic from the gaweeweb[.]com website to the fake

A new  malvertising campaign  has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads. "Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it," Jérôme Segura, director of threat intelligence at Malwarebytes,  said  in a report. "Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead." The infected website in question is an unnamed online portal that specializes in wedding planning, which had been injected with malware to serve bogus links to the PyCharm software. The execution of the PyCharm installer results in the deployment of several stealer and loader families, such as Amadey, PrivateLoader, RedLine, Stealc, and Vid

Wing Security recently announced that basic third-party risk assessment is  now available as a free product . But it raises the questions of how SaaS is connected to third-party risk management (TPRM) and what companies should do to ensure a proper SaaS-TPRM process is in place. In this article we will share 5 tips to manage the third-party risks associated with SaaS, but first...  What exactly is Third-Party Risk Management in SaaS? SaaS is rapidly growing, offering businesses convenience, swift implementations, and valuable opportunities. However, this growth introduces a security challenge where risks arise from the interconnected nature of SaaS supply chains. It is clear that before onboarding a new contractor or vendor, we need due diligence, security checks, and referrals. However, we now understand that in the SaaS domain, applications are, in fact, the go-to vendor of choice.  Let's explain: Any employee can very easily connect SaaS vendors to company data, granting them pe

Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads. Malwarebytes, which discovered the activity,  said  it's "unique in its way to fingerprint users and distribute time sensitive payloads." The attack singles out users searching for Notepad++ and PDF converters to serve bogus ads on the Google search results page that, when clicked, filters out bots and other unintended IP addresses by showing a decoy site. Should the visitor be deemed of interest to the threat actor, the victim is redirected to a replica website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Users who fail the check are taken to the legitimate Notepad++ website, while a potential target is assigned a unique ID for "tracking purposes but also to make each download unique and t

In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT . "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine." The American-Dutch company attributed the malware strain to a threat actor known as  TA505  based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with  activity clusters  tracked under the names Evil Corp, FIN11, and Indrik Spider. The latest development is significant because it's a sign that TA505, which is associate

Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords. The ultimate objective of such attacks is to  trick   unsuspecting   users  into downloading malevolent programs or potentially unwanted applications. In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive. "The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the server imme

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered  Royal ransomware . Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name  DEV-0569 . "Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team  said  in an analysis. The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The malware downloader, a strain referred to as  BATLOADER , is a dropper that functions as a conduit to distribute next-stage pa