03 Feb How Attackers are Using Google Ads to Deliver Spam

Gmail users have been reporting exploitation of the Google Ads platform over the last week. However, rather than engaging in ad fraud or putting advertisements that spread malware, the people behind this current behavior are directing traffic to a variety of hazardous websites via the Google Ads invitation system. These websites are most likely part of a phishing attempt designed to steal visitors’ personal information.

The Google Ads program, which displays advertisements on websites all across the Internet, allows admin users to invite other Google users to administer their Google Ads accounts. Ads-noreply@google.com is the official Google email address used to send these invites. Some malicious actors appear to have discovered that these emails neatly sail via Gmail’s spam filters, because Google does not screen emails from its own domain.

Traditionally, spam and phishing emails are sent using email addresses that are designed to look at least partly authentic, in order to deceive consumers into opening the emails and visiting the associated websites. Instead of generating email addresses at freshly registered domain names to seem real, bad actors create Google Ads accounts and link them to their spam/phishing websites. Following that, the malicious actors can send invitation emails from the official Google Ads email account.

These Google Ads account access invites offer links to the webpage connected with each account, encouraging recipients to visit that website. These spam invites connect to websites that display sexual photographs and encourage users to provide their details to see more. Any information gathered by these pages will almost certainly be used for bad purposes.

“Our security teams are aware of this spam content and are working hard, as usual, to stay ahead and keep our users secure,” a Google official told BleepingComputer. We have stringent Google Ads regulations in place to prevent misrepresentation and have taken necessary action. We encourage users to report communications containing spam links in order for us to take necessary action against the accounts implicated in the spam.”

How hackers exploit Google’s ad network to collect info from consumers

Cybercriminals frequently have to invent new techniques to send their harmful payloads to unsuspecting consumers, which is why they’re now distributing a hazardous new infostealer virus via Google Ads.

According to a new study from cybersecurity firm Cyble, its security experts recently uncovered a new malware strain dubbed Rhadamanthys after the wise ruler of Crete from Greek mythology.

At the same time, Rhadamanthys is spreading via spam emails that contain a malicious PDF file regarding an overdue bill. These emails, however, are directed at companies, whereas the bogus Google Ads utilized in this campaign are aimed at individuals attempting to download popular software.

Take a look at this article!: Myths and Truths About The Metaverse

Using Google adverts to distribute malware

When you search Google, the most relevant results show at the top of the page, but an ad may occasionally appear above the search results. In this case, you must scroll down the page to locate a company’s genuine website.

The hackers propagating the Rhadamanthys virus are taking advantage of the way Google shows adverts in their new campaign, as many people frequently click on the first result after performing a web search. They have built a variety of phishing sites meant to impersonate famous applications such as Zoom, AnyDesk, Notepad++, and Bluestacks in order to entice more victims to accidentally download their virus.

While a user believes they have clicked on an ad that would take them to a company’s official website, they are routed to a phishing page meant to spoof prominent businesses by utilizing their logos, typefaces, and other identifying features.

According to Cyble, these phishing sites go a step further by mimicking the installation files of the actual software they’re spoofing. However, instead of Zoom, AnyDesk, or other popular applications, people unintentionally install the Rhadamanthys virus.

A Google official said in an email to Tom’s Guide that the advertising pointing consumers to these phishing sites have subsequently been deleted, saying:

“A top focus is to protect people from ad scams and fraud. We have strict regulations forbidding advertising that seek to avoid detection by concealing the advertiser’s identity and impersonating other firms. The advertising in question had already been identified and deleted at the time of this request.”

Password theft, crypto theft, and more

As an infostealer, Rhadamanthys is designed to collect as much information as possible from its victims, which is subsequently transferred to an attacker-controlled command and control (C&C) server.

Before scanning for browser-related files such as browsing history, bookmarks, cookies, auto-fills, login passwords, and more, the virus collects system information from Windows PCs such as computer name, username, OS version, RAM, CPU information, and more.

Rhadamanthys is intended for use with several popular browsers, including Chrome, Edge, Firefox, and Chrome, as well as some newer ones, such as Brave. If you save your passwords in your browser and use it to access your bank accounts, a hacker with the abundance of data Rhadamanthys obtains might simply empty your accounts.

Rhadamanthys then targets Binance, Zcash, and a number of other popular crypto wallets and browser extensions. The virus can drain a user’s cash if it has access to the user’s crypto wallet credentials. It also targets FTP and email clients, password managers like as RoboForm and KeePass, VPN services such as NordVPN, ProtonVPN, Windscribe VPN, messaging applications such as Discord and Telegram, and other programs on a victim’s machine. Photographs of a victim’s machine are also taken and sent back to the C&C server.

Rhadamanthys, in essence, functions like a vacuum, collecting all types of sensitive and personal information for use in future assaults or even identity theft.

How to Avoid Malware and Other Online Threats

Because fraudsters are now utilizing advertising to lure people into accessing phishing sites that distribute malware, you must be cautious about where you click. When searching for something on Google, you should always scroll down to the real search results rather than clicking on an ad, no matter how tempting it seems.

In fact, because fraudulent advertising in search results have become such an issue, the FBI recently advised installing an ad-blocker. You won’t click on adverts if you can’t see them because they’re banned.

Similarly, you should have one of the finest antivirus software solutions installed on your PC to help defend you against emerging malware strains such as Rhadamanthys that Microsoft’s Windows Defender may overlook. If you use a Mac, you still need the finest Mac antivirus software since fraudsters are always looking for new methods to attack Apple’s user base.

Because Rhadamanthys is a malware-as-a-service that cybercriminals pay considerable money to utilize in their assaults, we’re likely not seen the last of this hazardous new infostealer.