#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Google Ads | Breaking Cybersecurity News | The Hacker News

Category — Google Ads
Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

Jan 15, 2025 Malvertising / Malware
Cybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. "The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jérôme Segura, senior director of threat intelligence at Malwarebytes, said in a report shared with The Hacker News. It's suspected the end goal of the campaign is to reuse the stolen credentials to further perpetuate the campaigns, while also selling them to other criminal actors on underground forums. Based on posts shared on Reddit , Bluesky , and Google's own support forums , the threat has been active since at least mid-November 2024. The activity cluster is a lot similar to campaigns that leverage stealer malware to steal data related to Facebook advertising and business accounts in order to ...
FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

May 11, 2024 Malvertising / Malware
The financially motivated threat actor known as  FIN7  has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of  NetSupport RAT . "The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet," cybersecurity firm eSentire  said  in a report published earlier this week. FIN7 (aka Carbon Spider and Sangria Tempest) is a  persistent e-crime group  that's been active since 2013, initially dabbling in attacks targeting point-of-sale (PoS) devices to steal payment data, before pivoting to breaching large firms via ransomware campaigns. Over the years, the threat actor has refined its tactics and cyber weapon arsenal, adopting  various   custom malware  families such as BIRDWATCH, Carbanak, DICELOADER...
The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

Jan 16, 2025Identity Protection / SaaS Security
You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks . (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester).  Stolen credentials on criminal forums cost as little as $10 (Source: Verizon). Something doesn't add up. So, what's going on? In this article, we'll cover: What's contributing to the huge rise in account compromises linked to stolen creds and why existing approaches aren't working.  The world of murky intelligence on stolen credentials, and how to cut through the noise to find the true positives. Recommendations for security teams to stop attackers from using stolen creds to achieve account takeover. Stolen credential-based attacks are on the rise There's clear evidence that identity attacks are now the #1 cyber threat f...
Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor

Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor

Apr 18, 2024 Malvertising / Endpoint Security
A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed  MadMxShell . "The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh  said . As many as 45 domains are said to have been registered between November 2023 and March 2024, with the sites masquerading as port scanning and IT management software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine. While this is  not the first time  threat actors are  banking  on  malvertising techniques  to serve malware via lookalike sites, the development marks the first time the delivery vehicle is being used to propagate a ...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

Jan 26, 2024 Malvertising / Phishing-as-a-service
Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign. "The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura  said  in a Thursday report. "Such programs give an attacker full control of a victim's machine and the ability to drop additional malware." It's worth noting that the activity, codenamed  FakeAPP , is a continuation of a  prior attack wave  that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023. The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites. The Google infrastructure is used to embed link...
Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Nov 17, 2023 Malvertising / Malware
Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead. Cybersecurity company Securonix is tracking the ongoing activity under the name  SEO#LURKER . "The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a report shared with The Hacker News. The threat actors are believed to leverage Google's Dynamic Search Ads ( DSAs ), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site. The ultimate goal of the complex multi-stage attack chain is to entice users into clicking on the fake, lookalike WinSCP website, winccp[.]net, and download the malware. "Traffic from the gaweeweb[.]com websi...
Trojanized PyCharm Software Version Delivered via Google Search Ads

Trojanized PyCharm Software Version Delivered via Google Search Ads

Oct 31, 2023 Malvertising / Threat Intelligence
A new  malvertising campaign  has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads. "Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it," Jérôme Segura, director of threat intelligence at Malwarebytes,  said  in a report. "Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead." The infected website in question is an unnamed online portal that specializes in wedding planning, which had been injected with malware to serve bogus links to the PyCharm software. The execution of the PyCharm installer results in the deployment of several stealer and loader families, such as Amadey, PrivateLoader, RedLine, Stealc, and Vid...
Malvertisers Using Google Ads to Target Users Searching for Popular Software

Malvertisers Using Google Ads to Target Users Searching for Popular Software

Oct 20, 2023 Malvertising / Cyber Threat
Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads. Malwarebytes, which discovered the activity,  said  it's "unique in its way to fingerprint users and distribute time sensitive payloads." The attack singles out users searching for Notepad++ and PDF converters to serve bogus ads on the Google search results page that, when clicked, filters out bots and other unintended IP addresses by showing a decoy site. Should the visitor be deemed of interest to the threat actor, the victim is redirected to a replica website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Users who fail the check are taken to the legitimate Notepad++ website, while a potential target is assigned a unique ID for "tracking purposes but also to make each download unique and t...
LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads

LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads

May 02, 2023 Malvertising / Cyber Threat
In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT . "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine." The American-Dutch company attributed the malware strain to a threat actor known as  TA505  based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with  activity clusters  tracked under the names Evil Corp, FIN11, and Indrik Spider. The latest development is significant because it's a sign that TA505, which is associate...
New Malvertising Campaign via Google Ads Targets Users Searching for Popular Software

New Malvertising Campaign via Google Ads Targets Users Searching for Popular Software

Dec 29, 2022 Online Security / Malvertising
Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords. The ultimate objective of such attacks is to  trick   unsuspecting   users  into downloading malevolent programs or potentially unwanted applications. In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive. "The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the serve...
Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

Nov 19, 2022
A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered  Royal ransomware . Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name  DEV-0569 . "Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team  said  in an analysis. The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The malware downloader, a strain referred to as  BATLOADER , is a dropper that functions as a conduit to distribute...
Expert Insights / Articles Videos
Cybersecurity Resources