تُعتبر الخدمات الإلكترونية من أهم الركائز التي تسهم في تسهيل الأعمال اليومية والتفاعل بين الأفراد والشركات. تتيح هذه الخدمات للمستخدمين الوصول إلى المعلومات والموارد بسهولة ويسر عبر الإنترنت، مما يعزز من كفاءة وفاعلية مختلف الأنشطة.
أنواع الخدمات التي تقدمها مجلة شو للخدمات
تقدم مجلة شو للخدمات العديد من الخدمات الإلكترونية التي تلبي احتياجات مستخدميها. تتنوع هذه الخدمات بين المعلوماتية، والأخبار العامة، وموارد الدعم المختلفة. نحرص على تقديم محتوى شامل يتناول كل جوانب الخدمات المتاحة لنضمن تلبية احتياجاتكم بأفضل شكل ممكن.
الخدمات المجانية المتاحة
من الفوائد الكبيرة التي تقدمها مجلة شو للخدمات هي توفر عدد من الخدمات المجانية التي يمكن للمستخدمين الاستفادة منها. هذه الخدمات تشمل معلومات قيمة ودروس تعليمية وموارد تفاعلية تساعدهم في تحسين مهاراتهم وتوسيع آفاقهم. نحن نؤمن بأن الوصول للمعلومات يجب أن يكون متاحاً للجميع، لذا نعمل جاهدين على تقديم محتوى مجاني يتمتع بالجودة العالية.
Threat actor impersonates Google via fake ad for Authenticator
Posted: July 30, 2024 by Jérôme Segura
We have previously reported on the brand impersonation issue with Google ads: users who search for popular keywords are shown malicious ads that purport to be from an official vendor.
Not only does this trick innocent victims into downloading malware or losing their data to phishing sites, it also erodes trust in brands and by association in Google Search itself.
Today, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.
A similar distribution site and the same payload were previously discovered by sandbox maker AnyRun. In this blog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in tricking users into visiting a decoy website.
Trust, but ‘verified’?
The core issue with brand impersonation comes from ads that appear as if they were from official sources and advertisers’ identities verified by Google. This was the case here with this ad for Authenticator:
The truth is Larry Marr has nothing to do with Google, and is likely a fake account. We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.
Fake site leads to signed payload hosted on Github
The fraudulent site chromeweb-authenticators[.]com was registered via NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day as the ad was observed.
Looking at the site’s source code, we can see the code responsible for downloading Authenticator.exe from GitHub. Note the comments from the author in Russian:
Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate. In fact, anyone can create an account and upload files, which is exactly what the threat actor did under the username authe-gogle, creating the authgg repository that contains the malicious Authenticator.exe:
Looking at the file itself, we can see that it has been digitally signed by “Songyuan Meiying Electronic Products Co., Ltd.” just one day before, and the signature is still valid at the time of writing:
The malware, DeerStealer, is a kind of stealer that will grab and exfitrate your personal data via an attacker-controlled website hosted at vaniloin[.]fun.
Conclusion
Threat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites. Since the whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real advertisers from fake ones.
As we saw in this case, some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.
We should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.
List of companies of interest to you. For more information, click on the company name.
A channel specialized in publishing all the winning groups ranked to 5 and presenting them to the dear viewer with all credibility and professionalism.
