In a earlier weblog, we noticed criminals distribute malware through malicious advertisements for Google Authenticator. This time, brazen malvertisers went so far as impersonating Google’s total product line and redirecting victims to a faux Google house web page.
Clearly not afraid of poking the bear, they even used and abused yet one more Google product, Looker Studio, to lock up the browser of Home windows and Mac customers alike.
We describe how they had been capable of obtain this, relying virtually solely on stolen or free accounts and leveraging Google’s APIs to create rotating malicious URLs for the browser lock.
All malicious actions described on this weblog have been reported to Google. Malwarebytes clients had been proactively protected towards this assault through the Malwarebytes Browser Guard extension.
Malvertising {key phrase:google)
The next picture is a collage of malicious advertisements that every one got here from Google searches every consisting of two key phrases: google {product}. All of them tie again to the identical advertiser, which we consider could also be unaware that their account was compromised. Actually, we beforehand noticed that very same advertiser in two different unrelated incidents on the finish of June 2024 for Courageous (malware obtain) and Tonkeeper (phishing).
Whereas model impersonation is often achieved through monitoring templates, on this occasion the fraudsters relied on key phrase insertion to do the work for them. That is significantly helpful when focusing on a single firm and its total portfolio. Discover how all of the advertisements comply with the identical sample with a show URL displaying lookerstudio.google.com (a Google product additionally later abused on this scheme).
Shortly after we reported this preliminary wave of advertisements, we noticed the identical scammers (the ultimate URL after clicking on the advert can be going to lookerstudio.google.com) register a brand new advertiser account. On this case, regardless of their id not having been verified but, their advert nonetheless confirmed up for the standard “google maps” search. This time, the advert’s show URL mirrors the product (maps.google.com):
Faux Google Search web page through Looker Studio
Initially supposed as a device to transform knowledge into dashboards, the scammers are misusing Looker Studio to show a dynamically generated picture as a substitute. The picture is stretched throughout the display screen to provide the phantasm that you’re on the Google house web page, able to make a brand new search.
Opening Developer Instruments in Chrome, we are able to see that the “Google search web page” is certainly only one giant picture:
What’s fascinating is how this picture is used as a lure that requires some consumer interplay to set off an motion. Leveraging the Looker Studio API, the scammers are embedding a hidden hyperlink that will likely be launched as a brand new tab when a victims clicks on the picture:
Tech help rip-off
The embedded linkUrl cddssddds434334[.]z13[.]net[.]core[.]home windows[.]web redirects to a faux Microsoft or Apple alert web page that can try to hijack the browser by stepping into full display screen mode and play a recording. These faux alerts are the most typical means harmless individuals fall victims to tech help scams. In such a state of affairs, many individuals will assume there’s something incorrect their pc and can comply with the directions they’re given on display screen.
Calling the cellphone quantity for help will kickstart a dialog with a name heart typically situated abroad. Faux Microsoft or Apple representatives will persuade victims to purchase present playing cards or log into their checking account to pay for the ‘repairs’.
The rip-off URL is a part of net[.]core[.]home windows[.]web which belongs to Microsoft Azure and is often abused by scammers. On this explicit occasion, the Looker Studio API supplies a brand new malicious URL (rotated at common intervals) to make any blocking through typical means futile.
Conclusion
As we noticed on this weblog, malicious advertisements might be mixed with numerous tips to evade detection from Google and defenders generally. Dynamic key phrase insertion might be abused to focus on a bigger viewers associated to the identical matter, which on this case was Google’s merchandise.
Lastly, it’s value noting that on this explicit scheme, all net sources used from begin to end are offered by cloud suppliers, typically freed from cost. Which means extra flexibility for the criminals whereas growing issue to dam.
As we had been investigating this marketing campaign, we checked that Malwarebytes clients had been protected. Regardless of the malicious URLs being hosted on Microsoft Azure and rotating frequently, Malwarebytes Browser Guard was already blocking this assault because of its heuristics engine.
Indicators of Compromise
Google advertiser accounts
08141293921851408385
Dhruv
06037672575822200833
Looker Studio URLs
lookerstudio[.]google[.]com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/
lookerstudio[.]google[.]com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/
lookerstudio[.]google[.]com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/