A recent incident has shown another security vulnerability in Google’s advertising platform: advertisers can display URLs of legitimate websites in their ads while redirecting clicks to malicious destinations.
This deceptive practice has recently been exploited in a concerning incident. Here is what happened.
The popular macOS package manager Homebrew became the target of cybercriminals in a sophisticated phishing campaign. Developer Ryan Chenkie discovered a fraudulent website being promoted through Google Ads that impersonated the official Homebrew platform.
The attackers employed a classic typosquatting technique, registering the domain “brewe.sh” to mimic Homebrew’s legitimate domain “brew.sh.”.
The cybercriminals booked ads on Google’s advertising platform to lure unsuspecting users into their trap. While the target URL was different, the ad on Google Search showed the address of the legitimate website to searches.
In other words: A glance at the address would show the correct address to searchers. A click on the ad, however, would load the malicious website instead.
The fraudulent site was professionally designed to appear identical to Homebrew’s official website. However, instead of providing legitimate software, it distributed malware through compromised cURL downloads. According to reports, the malware specifically targeted user passwords.
The main takeaway for users: do not trust the address, title, or ad text that Google displays on Google Search. Better yet, use a content blocker to get rid of these ads entirely.
Google has apparently reacted to this particular ad and plans to “stop similar patterns in the future”.
Closing Words
One of the main problems of advertisement on the Internet is that it is regularly abused by cybercriminals. Even Google, with all its money that it earns from advertising, seems uncapable of putting an end to this abuse.
It is a trust issue and the only way of protection is to use content blockers. The added benefit of this is that users save potentially gigabytes of data each month,, speed up browsing on the Internet and improve your privacy.
This is why my website does not have any ads. You can still support me though, for instance by subscribing to my newsletter here.
Google is obviously leaving humans out of the loop on all ad services. The system just needs few hundreds trained people randomly trying out Google Ad links to pick up all the scams within few days of their launch. I think Google can afford it but chooses not too since there are no penalties for bad business if you are almost monopolist.
The main takeaway for users is as described in the article is imperative. A OS and browsers which are undoubtedly its most used component, just cannot be ran out of the box.
Generally speaking and IMO advertisement — unless should it be strictly controlled by advertisement vectors, which has never been done up to now — is incompatible with privacy but as well with security concerns. Ads and a secure digital environment are incompatible.
Meanwhile the first company to tie them is Google while Google stands a pole position in the digital tech area. A challenge for the mental sanity of those who rely on this company to travel in the Wild Wild Web.
Follow the article’s advice, both imperative :
– do not trust the address, title, or ad text that Google displays on Google Search.
– use a content blocker to get rid of these ads entirely.
Follow a wise recommendation : avoid to the maximum extent GAFAM companies, that means avoid their services of course (alternatives exist for most) and use blacklists, dedicated add-ons & userscripts to to bypass their intrusions, those which occur even with a non logged-in account, those which occur even with no account : the number of third-party connections to Google servers (as well as to other major companies) is absolutely amazing, but Google remains leader of the band.
“– do not trust the address, title, or ad text that Google displays on Google Search.”
That has being true for quite a while. Better choice: use Google search only as backup search engine. Choose one of the smaller, relatively independent search engines as your primary search engine and use Google only if some function is not available, or if you cannot find the answer. Yes, sometimes searches can take longer (not always), but risk will be greatly diminished.