Google Ad For GIMP.org Served Info-Stealing Malware Via Lookalike (bleepingcomputer.com) 19
joshuark shares a report from BleepingComputer, written by Ax Sharma: Searching for 'GIMP' on Google as recently as last week would show visitors an ad for 'GIMP.org,' the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it'd state 'GIMP.org' as the destination domain. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.
Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware. BleepingCompuer observed another domain 'gimp.monster' related to this campaign. To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding. It still isn't clear if this instance was a slip up caused by a potential bug in Google Ad Manager that allowed malvertising.
Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware. BleepingCompuer observed another domain 'gimp.monster' related to this campaign. To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding. It still isn't clear if this instance was a slip up caused by a potential bug in Google Ad Manager that allowed malvertising.
Adblock (Score:5, Insightful)
I thought the name (Score:1)
"Gump" sounded a little off, like the time I got a nice discount on my "Relox" watch.
Re: (Score:2)
The real question (Score:2)
The real question is, what did these people think they were downloading?
Re: (Score:2, Funny)
GIMP?
Not a bug (Score:5, Informative)
Not a bug in Google's systems.... they have REPEATEDLY shown that they don't give a damn about anything but their profits.
YouTube carries scam-ads served by Google all the time and even when thousands of people report the scam, the ads are still running many months later.
Nope, so long as you're prepared to pay the bill, Google doesn't give a damn what harm you're doing through its ad network :-(
Re: (Score:3)
Google lets publishers create ads with two different URLs: a display URL to be shown in the ad, and a landing URL where the user will actually be taken to.
There's your problem right there. If you specifically design the system to allow URL misdirection, of course scammers will take advantage of it. But hey, anything for a buck.
Could have been much worse (Score:3)
But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.
At least it didn't install Photoshop. :-)
Why is it so often GIMP? (Score:1)
This is not the first time someone has rebundled GIMP, especially as an installable package for Windows, and burdened it with unwelcome binaries. The previous notable time was at the Sourceforge hosted source code repo with a binary apparently published by Sourceforge employees.
https://www.developer.com/news... [developer.com].
Photoshop has gotten cheaper for most people, with a subscription based license scheme, so it's often worth thinking about whether to spend time mastering the less
Re: Why is it so often GIMP? (Score:2)
Re: (Score:2)
Photoshop has gotten cheaper for most people, with a subscription based license scheme, so it's often worth thinking about
Nope. "Subscription based" means perpetual rent. I'd much rather own the means of production than to be a constant slave to the tools. Even if they are inferior. Adobe products will never be a consideration for me until they put a cap on that siphon of theirs.
700MB? (Score:2)
Have malware coders started using .NET or what?
Adobe (Score:1)
Same with my bank (Score:3)
Same happened with my bank. The ad really looked 100% like the real deal. It took Google *days* to take it down.
Thank God for Debian :) (Score:2)
apt-get install gimp
That's nothing. (Score:2)
It was the top result, a promoted ad.
URL (Score:1)