Hacker working on computer showing search engine ads used for malware and phishing

FBI: Hackers Are Using Search Engine Ads for Phishing and Malware Distribution

The Federal Bureau of Investigations (FBI) warned about threat actors using search engine ads to spread malware and redirect users to phishing websites.

According to the FBI’s public service announcement, attackers purchased search engine ads impersonating a legitimate business or service. The ads appear on the top of search results, usually with minimum distinction from the actual results. On clicking, they redirected customers to credential-harvesting and malware download sites instead of the legitimate URL displayed.

The FBI estimated that customers lost hundreds of thousands of dollars from March 2021, when the campaign started.

Search engine ads used to malware

The search engine ads display a legitimate domain associated with the application with a link to download software with a name matching a legitimate application.

However, clicking the download link led the victims to a malware site instead of the official website. For example, threat actors impersonated the GIMP image editor to distribute Vidar infostealer malware, Open Office to distribute Mars stealer malware, and AnyDesk remote management app to promote IcedID malware.

Once installed, the infostealer malware creates backdoors allowing threat actors to steal login credentials, user information saved in browsers, and banking and crypto wallet information.

“This is a very clever way for bad actors to take advantage of the trust people have in search engines,” said Erich Kron, Security Awareness Advocate at KnowBe4. “People often search for something fairly common, then simply click on the first result in the list.”

According to Kron, bad actors rely on the victims’ failure to double-check the URL and confirm the website’s legitimacy.

“Through typosquatting, cybercriminals can make the website look like a legitimate one if people are not paying attention to minor misspellings or similar tactics in the URL,” Kron noted. “It’s important to ensure that even when following a link from a legitimate search engine, that we look at the URL bar in the browser to confirm we’re at the website we expect to be at.”

Phishing campaign harvests account credentials through search engine ads

The FBI also observed threat actors targeting websites involved in finances, especially cryptocurrency exchange platforms.

In a case detailed by the FBI, hackers conducted a two-phase phishing campaign, initially relying on search engine ads and, later, organic search results.

According to FBI’s private industry notification (PIN), hackers used search engine ads to redirect users to fake web pages mimicking the impersonated business’s official webpage. Once they landed on the phishing website, hackers tricked them into entering their account credentials and telephone numbers and answering security questions. The threat actors collected the details, sold them to other cybercriminals, or used them to steal the victims’ funds.

When the login credentials and financial information failed to grant them access to the victim’s account, the threat actors called while impersonating a financial institution’s representative.

“While this individual occupied the customer in a lengthy process purported to restore account access, an associate would access the financial institution’s legitimate portal using the customer’s stolen credentials and initiate wire transfers from the account.”

Customers later realized that hackers had emptied their accounts after logging into the legitimate portal.

According to the FBI, the phishing campaign had resulted in losses amounting to hundreds of thousands of dollars through illegal ACH transfers.

“Phishing as a vector has been extremely fruitful for APT groups and internal Red Teams for years now,” said Matt Mullins, Senior Security Researcher at Cybrary. “With the evolution of controls and protections, new ways to attack users have evolved.”

According to Mullins, hackers have a phishing opportunity whenever a user can interact with something or be targeted.

FBI guidelines on protecting from malicious search engine ads

The FBI advised customers to check the URL of ad-related search results before clicking to ensure that the website is authentic. Customers should pay attention to typos, misspelled words, and misplaced characters, which are characteristic of phishing sites.

The FBI warned that, while purchase advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link.

Instead, the agency advised customers to type the business URL on the browser’s address bar instead of clicking on links.

Additionally, surfers should install and enable an ad blocker extension when performing internet searches to eliminate ad-related results that could be linked to malvertising phishing campaigns.

Some ad blockers could also be configured to allow specific ad-related results and exclude others based on the website’s reputation.

Similarly, businesses should use domain protection services to receive notifications when copycat domains are registered to prevent domain spoofing.