Google-Hosted Malvertising Leads to Fake Keepass Site That Looks Genuine

by
janrinok
from SoylentNews on (#6FR38)

upstart writes:

Google-verified advertiser + legit-looking URL + valid TLS cert = convincing lookalike:

Google has been caught hosting a malicious ad so convincing that there's a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open-source password manager Keepass, there's no way to know that it's fake. It's on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to eepass[.]info, which when viewed in an address bar appears to be the genuine Keepass site.

A closer link at the link, however, shows that the site is not the genuine one. In fact, eepass[.]info -at least when it appears in the address bar-is just an encoded way of denoting xn--eepass-vbb[.]info, which it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near perfect storm of deception.

"Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain," Jerome Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam.

Information available through Google's Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments