This fake Windows news site is spreading malware via hacked Google ads

Passwords
Image Credit: Shutterstock (Image credit: Shutterstock)

Someone has been impersonating a known media publication and abusing the Google Ads advertising network, all to deliver the RedLine infostealer malware to people.

A new report from Malwarebytes, found a fake WindowsReport website that was being hosted on almost a dozen different domains. 

On the website, the scammers hosted a trojanized version of CPU-Z, a popular utility tool for Windows that helps users track different hardware components such as CPU clock rates, and similar. The tool, in fact, was RedLine Stealer, a known infostealer capable of exfiltrating sensitive system data, stored passwords, payment information, cookies, cryptocurrency wallet information, and more. 


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Multiple similar campaigns

Then, they created ads and ran them on the Google Ads network, promoting this malicious version of CPU-Z. The cloning of WindowsReport was done to add more legitimacy and trustworthiness to the whole campaign, the researchers speculate. But before users are sent to this website, they’re pulled through a number of redirects, all to evade Google’s anti-abuse crawlers. 

Some users are redirected to benign pages, while others - those more suitable to receive RedLine - are redirected to the final website. We don’t know exactly how the attackers choose their victims. 

To make matters worse, the installer is digitally signed with a valid certificate, meaning Windows security tools and other antivirus products most likely won’t flag it as malicious. 

Malwarebytes has analyzed the threat actors’ infrastructure for this campaign and came to the conclusion that it was created by the same people who recently operated the Notepad++ campaign. This campaign, spotted in late October, was similar in the sense that it, too, included a copy of a legitimate website, and a bunch of malicious ads being served via Google Ads. 

The best way to stay safe is to be extra careful when searching for products and solutions on Google, and to always double-check the URL in the address bar before downloading anything.

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.