Paid Google ads used to promote spoofed websites containing malware.

You may think it is perfectly safe to click on a sponsored ad, after all, Google is a well-known legitimate search engine, right? Not exactly. Cybercriminals are using paid ads to trick unsuspecting users into downloading malware. It gets scarier than that. Using Punycode threat actors are also able to replicate legitimate websites with almost identical domain names.

Case Study

Spoofed Brave Browser used to push malware:

Scammers have been found to use paid Google Ads to promote their spoofed version of the brave.com browser.

Clicking on the ad took you to a site that looked identical to the legitimate brave.com site, with one key difference. While trying to download the browser, you would download malware known both as ArechClient and SectopRat instead. Which based on A 2019 analysis from security firm G Data turned out to be a remote access trojan. It has the capabilities of streaming your current desktop or creating a second invisible desktop for attackers to use.

Upon investigating further. Head of threat intel research at Silent Push, Martijn Grooten, found seven additional domains spoofed by the attacker behind this scam.

These included:

screencast.com

flightsimulator.com.

brave.com

exodus.com

tradingview.com

torbrowser.com

telegram.com

What is Punycode?

Punycode is Unicode that converts words that cannot be written in ASCII (American Standard Code for Information Interchange) into an ASCII encoding.

This can be especially useful for spoofing domain names. The global Domain Name System (DNS) is limited to ASCII characters, by using Punycode you can include non-ASCII characters. For example, some letters in Greek, Cyrillic or other alphabets can look almost identical to some letters in the Roman alphabet.

The ASCII does not support languages like Greek or Hebrew. Threat actors can therefore use Punycode as a way of including characters that are not supported and cannot be written in ASCII. This way they can replace some Roman characters with identical/similar characters from other alphabets to create a different domain name that looks almost indistinguishable from the address of the site they are trying to spoof.

How does this affect you?

As an individual browsing the web, it means you could be infected by some nasty malware within just a few clicks without any awareness. Attackers could gain remote access to your PC exposing you greatly to loss of personal or financial information.

As a business, the effects extend beyond just losing sensitive information if one of your machines is infected. Threat actors being able to host dangerous ad campaigns via google ads can mean consumers may become very hesitant to interact with ad campaigns rendering your business campaigns less effective. It can also mean your site could potentially be spoofed leading to a lot of damage to reputation if it is not handled quickly and effectively.

How can you protect yourself?

As an individual, unfortunately the only way can be a tedious one. You should always inspect the URL of the sites you are visiting to make sure it is the legitimate site. Avoid accessing websites and downloading files through google ads. Always do extra research and make sure you are on the legitimate site you are trying to access.

As a business, you may want to dedicate a few minutes now and then to search your company name or related keyword and see what shows up. You can do this to quickly see if there are any suspicious websites posing as your company site.

Another option you may consider, is to buy out all the possible domain combinations that could look identical to yours. This could prove a little costly however so you may want to stick with the first option.  You should also inform and train your employees to watch out for these threats.