A cybersecurity software provider has uncovered fraudulent advertising branded as Google, which links to a malicious version of Authenticator.
The sophisticated scam purports to come from a Google-supported domain, but it results in a GitHub download.
When you click on the ad, it redirects a handful of times before landing on chromeweb-authenticators.com, which is the host of the fake app for download.
Jerome Segura, principal threat researcher at Malwarebytes – the company that detected the elaborate scam – reiterated the importance of not clicking through an ad to obtain any kind of support.
He stated, “Some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.”
“We should note that Google Authenticator is a well-known and trusted multifactor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture,” added Segura.
“We recommend avoiding clicking on ads to download any kind of software.”
Dangers can lurk behind fake advertising
By hosting the file on GitHub, the scammers have successfully deployed a trusted cloud resource, but this in itself is not an unexpected penetration of note.
GitHub is renowned for its prominence as the software repository of choice, but it is not faultless.
Not all material hosted by the resource is legitimate, and almost anyone can create an account and upload files. In this instance, the threat actor followed this approach under the username authe-gogle, setting up the authgg repository that contained the malicious Authenticator.exe:
This is an intentional abuse of the ubiquity of Google and the unassuming trust that most users have toward the tech giant. It is a cunning, but effective method to dupe people into the clutches of malware.
It is critical to ascertain legitimate advertising from fake content and the dangers that lurk beneath the surface. This example shows how a bad actor was able to successfully hide behind one of the most prominent brands in the world to spread malicious software.
Image credit: Via Ideogram