Google Caught Hosting Malicious Ad That Tricks Users
Google, known for its strict ad vetting process, has been caught hosting a malicious ad that is remarkably convincing. The ad, which masquerades as a pitch for the password manager Keepass, has managed to fool even security-savvy users. Clicking on the ad leads users to the website ķeepass[.]info, which appears to be the legitimate Keepass site when viewed in the address bar. However, a closer look reveals that the site is not genuine. In fact, ķeepass[.]info is an encoded way of denoting xn--eepass-vbb[.]info, a site that is pushing a malware family known as FakeBat.
This deception is a result of the combination of the convincing ad on Google and a website with an almost identical URL. Jérôme Segura, head of threat intelligence at security provider Malwarebytes, describes it as a “near perfect storm of deception”. Users are first tricked by the ad, which appears entirely legitimate, and then deceived again by the lookalike domain.
The ads have been running since Saturday and last appeared on Wednesday. They were paid for by an advertiser called Digital Eagle, whose identity has been verified by Google, according to information available through Google’s Ad Transparency Center. The center is intended to provide transparency and accountability for ads.
This incident highlights the use of punycode, an encoding scheme that allows unicode characters to be represented in standard ASCII text. The imposter site xn--eepass-vbb[.]info appears as ķeepass[.]info in the address bar, making it difficult to detect the deception. This technique has been used in various malware scams in the past, including an incident where scammers used Google ads to drive people to a site that resembled brave.com, but actually pushed a fake, malicious version of the browser.
Detecting malicious Google ads or punycode encoded URLs is challenging. Typing the URL manually or inspecting the TLS certificate are options, but they are not always feasible or foolproof. Users must remain vigilant and exercise caution when encountering ads or unfamiliar websites.
Google has not yet responded to inquiries about the malicious ad.
