For years i cybercriminali they exploit well-known brands to mislead unfortunate victims.
This type of phenomenon often involves the use of legitimate advertising channels to sponsor fake websites, which exploit famous brands for criminal purposes. This phenomenon, known as malverstisingrecently hit the password manager open source known as KeePass.
Through an advertising campaign on Google, some cyber criminals sponsored a domain similar to the official one, exploiting the coding system Punycode. Specifically, a character similar to “k” of KeePass to mislead users (i.e. “k“).
Even internally, the site was created with graphics that make it almost identical to the original one.
Fake KeePass Site: Here’s How Cybercriminals Are Deceiving Victims
The malicious ad appears when you search on Google for “keepass” and, once the sponsored result has been proposed in the SERP, it is presented with logo e Official URLs: in fact, it is impossible to distinguish the fake site from the real one.
People who click on the ad will be redirected via a service cloaking which is intended to filter sandbox instances, bot and anyone who is not considered an interesting potential victim. Threat actors have created a temporary domain that conditionally redirects to the final destination, which is the site with the letter “k“.
Victims who try to download KeePass will end up with an installer .msix malicious computer with a digital signature. Installing the software will, in fact, lead to infecting your machine with a malware of the family FakeBat.
All this demonstrates how malvertising is a practice that is as widespread as it is dangerous. It is therefore very important for users to pay attention to where they are downloading certain software. In this sense, great attention should be paid to the URL of the site from which you are downloading and, as a precaution, it is always a good idea to scan what you have just downloaded with a antivirus adequate.
