Cybersecurity experts have issued an urgent warning to Google users about an attack that may have obtained their personal information.
Hackers purchased sponsored advertising space directly from the company, posing as the tech giant’s genuine Google Authenticator site that provides users with two-factor password security protection.
The scam campaign used what looked like a legitimate Google URL, but a closer look would’ve revealed terms that the company would not typically include.
Users who downloaded the fraudulent link may allowed hackers access to their bank account details, address and personal IP address.
Experts are now urging victims to immediately download and run a virus scanner, change all passwords and delete any temporary files.
Hackers purchased sponsored advertising space directly from the company, posing as a genuine Google Authenticator site that provides users with two-factor password security protection
The new advertising campaign, found by the anti-malware software company Malwarebytes, showed a Google.com URL link that had previously been a sign of assurance that the site was legitimate
Experts have previously advised users to only click on advertisement links that have a Google domain, but hackers seemed to have wised up to the advice by using text modifiers and cloaking technology to mimic official sites.
The malicious ad led users to download convincing authenticator clones that were installed by a malware distribution campaign called DeerStealer that claimed the developer, Larry Marr, was verified by Google.
‘The truth is Larry Marr has nothing to do with Google and is likely a fake account,’ Malwarebytes researcher Jérôme Segura, who uncovered the cyberattack, said in a blog post.
‘We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.’
Users who searched Google products on the browser saw the advertisement listed as sponsored, prompting them to click on it without concern, according to Malwarebytes.
They were then redirected multiple times until they landed on a fake site hosted on the developer platform GitHub.
The researchers also found that after clicking the ‘download’ button, users received a pop-up called Authenticator.exe that downloaded the malware onto their computer.
Google Authenticator offers multi-factor authentication services that add a second layer of protection to Google accounts by requiring a time-based one-time password in addition to the user’s regular password.
Nearly four million people have downloaded Google’s legitimate authenticator service since October 2022, according to Statista.
Google told DailyMail.com that threat actors, like DeerStealer, created thousands of accounts to evade detection and simultaneously modified the URL and site text and used cloaking software to show Google’s reviewers different websites and information than users would see.
If the fraudulent authenticator was successfully downloaded, DeerStealer would have access to your sensitive information including addresses, passwords and banking information, identity theft and the victim’s IP address.
‘We should note that Google Authenticator is a well-known and trusted multifactor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture,’ Segura said.
‘We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.’
After clicking the ‘download’ button, users received a pop-up called Authenticator.exe that downloaded the malware onto their computer
The malware was verified by Google reviewers who didn’t flag it as a fraudulent link
Google didn’t state when the malware was first posted or how many people were impacted.
The company told DailyMail.com that the sponsored authenticator link was taken down on July 30 after the anti-malware software company Malwarebytes notified them about the fraudulent activity.
‘We prohibit ads that attempt to circumvent our enforcement by disguising the advertiser’s identity to deceive users and distribute malware, a Google spokesperson said.
‘When we identify ads that violate our policies, we remove them and suspend the associated advertiser account as quickly as possible, as we did in this case.’
However, those who downloaded the fraudulent link could still be at risk.
Google added that it is still investigating the issue and is in the process of increasing its automated systems and number of human reviewers to help identify and remove malicious campaigns.
Although it is difficult to spot the differences between a DeerStealer link which convincingly says it’s an ‘Advertiser identity verified by Google,’ users need to look for the suspicious URL – chromeweb-authenticators.com – which only appears just before downloading the Authenticator.exe file.
However, the only guaranteed way for users to protect themselves is by not clicking on any sponsored links and instead scrolling down to find legitimate web sources.
***
Read more at DailyMail.co.uk