Google-hosted malvertising leads to fake Keepass site that looks genuine

by
Dan Goodin
from Ars Technica - All content on (#6FPG7)
warning-800x534.jpg

Enlarge (credit: Miragec/Getty Images)

Google has been caught hosting a malicious ad so convincing that there's a decent chance it has managed to trick some of the more security-savvy users who encountered it.

malicious-keepass-ad-google-640x477.png

Screenshot of the malicious ad hosted on Google. (credit: Malwarebytes)

Looking at the ad, which masquerades as a pitch for the open source password manager Keepass, there's no way to know that it's fake. It's on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to eepass[.]info, which, when viewed in an address bar, appears to be the genuine Keepass site.

fake-keepass-website-640x393.png

Screenshot showing keepass.info in the URL and Keepass logo. (credit: Malwarebytes)

A closer look at the link, however, shows that the site is not the genuine one. In fact, eepass[.]info-at least when it appears in the address bar-is just an encoded way of denoting xn--eepass-vbb[.]info, which, it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near-perfect storm of deception.

Read 6 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments