Google-Hosted Malvertising Leads To Fake Keepass Site That Looks Genuine

Google has been caught hosting a malicious ad so convincing that there's a decent chance it has managed to trick some of the more security-savvy users who encountered it. From a report: Looking at the ad, which masquerades as a pitch for the open source password manager Keepass, there's no way to know that it's fake. It's on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to Äeepass[.]info, which, when viewed in an address bar, appears to be the genuine Keepass site. A closer look at the link, however, shows that the site is not the genuine one. In fact, Äeepass[.]info -- at least when it appears in the address bar -- is just an encoded way of denoting xn--eepass-vbb[.]info, which, it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near-perfect storm of deception.

"Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain," Jerome Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post on Wednesday that revealed the scam. Information from Google's Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

Fake news

[Anonymous Coward]

Google hosting malware ads? Impossible.

Re:

[Tablizer]

Google hosting malware ads? Impossible.

That's redundant, Google is malware. Nested malware; rigged snooping turtles all the way down.

Re:

[jvkjvk]

>That's redundant, Google is malware. Nested malware; rigged snooping turtles all the way down.

So, how would *you* provide Google Maps, Google DNS, Google BGP, YouTube, Google Search, etc., to people for free? Please enlighten me as to how this would be done in your world.

Before saying "Google is malware" perhaps you should have something in mind that could replace it, as well as define *how* it is malware relative to what it does.

Does Google use the implications and data in your interaction with their

Re:

[Rosco P. Coltrane]

So, how would *you* provide Google Maps, Google DNS, Google BGP, YouTube, Google Search, etc., to people for free?

How about not providing those products for free? Whatever happened to paying for services you use?

Re:

[Tablizer]

So, how would *you* provide Google Maps, Google DNS, Google BGP, YouTube, Google Search, etc., to people for free? Please enlighten me as to how this would be done in your world.

Host the ads on Google's servers only, and display and use the URL the org registers with Google, and not allow ads to embed a URL in images or textual content (to avoid not matching actual destination).

An ad purchaser would have a portal where they upload/enter their image (if applicable), destination URL, and ad text (if applicabl

Re:

[jvkjvk]

How would this prevent the Malvertising, given that you can't increase the vetting budget. Can you assume no Malvertising ever gets through? Does Apple even guarantee that?

Or are you just saying they should spend more money and not display ads in as many places?

Re:

[Tablizer]

> Can you assume no Malvertising ever gets through?

Nothing is foolproof. If you wait until the world is perfect before doing anything, you'll die having done nothing.

Re:

[rogoshen1]

first they get busted doing it on youtube, and now this?
what a shameful company.

Simple solution

[VeryFluffyBunny]

Never, ever click on ads. Not from Google nor from any other ad agency. They're not to be trusted at all, ever. If they think they can get away with making money from malvertising (i.e. take the money & plead ignorance/innocence or play the victim), they'll do it in a heartbeat... & they most probably do.

Re:

[AleRunner]

Given their recent crackdowns on ad blockers, I'd say that's pretty likely.

Basically came here to say that. Just this week is the first time that I've started getting anti-adblocker messages from YouTube and had to set up a separate browser profile with only one extension in order to make sure I could follow uBlock origin YouTube debugging instructions [github.com] properly. The time is definitely coming when we have to start duplicating all content from the standard internet over to solutions like FreeNet [freenet.org]. I wonder if it's possible to build an archive.is workalike on top of FreeNet? Ian Clark [rumble.com]

Re:

[TheRealMindChild]

Google ads are intertwined with actual search results to look like actual search results

Re:

[VeryFluffyBunny]

I wouldn't know. I don't use Google search.

Re:

[radarskiy]

On the other hand, if you don't buy search ads against your own product's name you may never appear high enough to be seen in the search results to be seen before people abandon their search,

Keep ass?

[Anonymous Coward]

Nope, thanks to Google's negligence you're going to lose it.

THIS site is fake!

[Tablizer]

...you've been tricked by a clone. The real site is "slash.dot" (currently down for maintenance.) I bet you feel like a rube, and you should.

P.S. You are all cows.

Ads = Arbitratry code execution

[xack]

At this point advertising needs to be treated as a CVE.

Show the URL?

[bill_mcgonigle]

The article says it's a punycode k with a mark below it but the screenshot shows a normal k.

Does Google let advertisers show arbitrary domains with different targets?

That sounds crazy.

Re:

[deKernel]

You might have to change your screen resolution, but the mark is there. It took me a few minutes to see it because I actually thought it was a spec of dirt on my monitor initially.

Re:

[cahoots3360]

I think the parent was referring to the URL as shown in the ad itself: https://cdn.arstechnica.net/wp... [arstechnica.net] I see the mark in the browser screenshot, but I do not see it in this ad screenshot.

Re:

[rpresser]

The photo was provided by the malicious advertiser, and Google isn't going to OCR every JPG they get to make sure it isn't misleading. Much more cost effective to wait for someone to get bitten by it and then clean up afterwards.

Punycode never should have been allowed

[FeelGood314]

The site is now redirects to Rick Ashley Never going to give you up however you can still view the domain name.
The bigger problem though is not Google it is that some CA signed the certificate even though all the CAs claimed they would never sign a punycode certificate that looked like a legitimate sight. The CA should be dropped as a root CA.

Re:

[jonadab]

I still think browsers should refuse to render punycode unless the characters in question all belong to character sets that are consistent with the user's language settings. Greek words in the URL when the user has Greek on their list of languages? Fine, render it. Greek lowercase omicron (in place of lowercase o, surrounded by Latin characters) in a URL visited by a user who doesn't speak Greek? Show the raw punycode, preferably with a big fat "scam?" warning beside it.

"Vets"?! HAHAHAHAH

[brunes69]

"It's on Google, after all, which claims to vet the ads it carries."

The idea Google vets their ads is the funniest thing I have read on Slashdot in a long time.

Do you know how many ads I see on my Google Now feed for crypto scams, AI scams, botox treatments endorsed by Elon Musk and Shark Tank, etc etc? I see at least 10 a day. I use the "report" function as much as I have time but it seems to make zero difference.

Google doesn't police its ad program whatsoever. All of the "Vetting" is automated and trivial

You know...

[The-Ixian]

It's getting to the point where you can't trust anything on the Internet anymore...

Seriously though, who ever thought that Punycode was a good idea? It's like they polled scammers and asked what would be really helpful for them to trick people with.

Hardly

[nospam007]

"Google has been caught hosting a malicious ad so convincing that there's a decent chance it has managed to trick some of the more security-savvy users who encountered it. "

Security-savvy people never see any ads.

Google Bad Apple

[cstacy]

I needed help with my Apple account today, and Googled up "Apple phone support".

The first result, and maybe all the results, were to scammers. The scam website looked like Apple, and when I called the phone number, it said it was Apple.B ut when the agent answered, it was clearly a scam. They wanted to sell me fake medical services and started asking for all my personal information.

I'm surprised Apple let's Google do that.
Those two companies have a weird relationship.

Re:

[BigFire]

The sheer volume of scammer is such that neither Apple nor Google are going to do anything about it. Google don't care because they're getting paid. I don't know what Apple's excuse is.

Let's Encrypt signed the cert

[FeelGood314]

Getting a certificate from Let's Encrypt is completely automated. I know they are useful for creating certificates for smaller sites so as to stop DNS poisoning or other man-in-the-middle attacks but they are terrible for allowing look alike sites. Personally I think support for non English ascii characters in URLs is to big of a security risk. Maybe let's encrypt shouldn't sign certs for Punycode URLs. Maybe browsers should have a configuration whenever you go to a site with one. At the very least google should be extra cautious when serving an English speaker URLs with non-English characters.

Re:

[vbdasc]

they are terrible for allowing look alike sites.

Let's Encrypt has one job (issuing a certificate to assure web clients that the website they actually connected to is really the one they think they did and that they have a secure channel) and they're doing it reasonably well. It isn't their job to police the Interwebs.

I show punycode on Firefox

[klui]

about:config
network.IDN_show_punycode = true [boolean]

Then the site shows up as xn--eepass-vbb.info in the URL bar.

On Chrome... wall of text. Maybe it can be done using an extension
https://chromium.googlesource.... [googlesource.com]

Domain registries

[cowwoc2001]

Shouldn't domain registries block the creation of new domains that are identical to existing domains once accents are removed? This is fairly easy to check.

This is more of a legal problem than a technical one.

Security-savvy users, really?

[vbdasc]

Security-savvy users got caught by this... hmm... maybe they weren't so security-savvy, after all. If they were, they would know to:

NEVER, EVER click on an advertisement link, from Google or anybody else, if that link even shows on their browser screen, for whatever reason.

There, I said it. Furthermore, I believe that Carthage must be destroyed... ugh, pardon me, Unicode support must be purged from URLs, Punic... sorry, puny code or not. And I say this as one whose native language doesn't use Latin script.