A researcher has discovered a new method for exploiting vulnerable websites to deliver targeted, malicious ads to search engine users. According to the expert, this new technique is potentially capable of spreading a real tsunami of malware.
The key to this danger is the dynamic adsa feature where Google uses the content of a website’s landing page to match targeted ads to searches. In an October 30 blog post, Jerome Segurasenior director of threat intelligence at Malwarebytesdescribed how an attacker used an ad on a compromised website to exploit this functionality, targeting search engine users.
For Safe “I think the ad itself is really random, in the way it was created. The fact that I saw it (in a Google search), I don’t think the threat actor planned it at all“.
Segura was looking for common keywords used by hackers, often fake advertisements for office applications, remote monitoring software and the like. In this case, the key word was “PyCharm“, the development environment for the Python programming.
The search brought a title which corresponded to the context, while it snippet it seemed to refer to a wedding planning site. After a thorough investigation, it was possible to understand that the website was compromised.
Google Dynamic Ads? For experts, the risk is a “flood” of malware infections
The expert then elaborated by specifying how “In most ads I see for downloading malicious software, the content matches the title. So the threat actor actually goes out of his way to create an ad from scratch: he uses a compromised advertiser account and creates the ad with a matching URL, a matching description, and all of that was not the case in this case. So I thought: why would anyone create a title that doesn’t match the description?“.
The investigation uncovered a malware infection on the wedding planning site, through which cybercriminals generated spam.
The malware rewrote the titles of these pages and presented visitors with a pop-up offering a malicious PyCharm serial key. To make matters worse, Google’s Dynamic Ads feature detected malicious content and served it as advertising.
If an unknowing visitor clicked on the PyCharm pop-up link, they would experience “A deluge of malware infections similar to those we have only seen on rare occasions, rendering your computer completely unusable“, Segura explained in his blog.