Taking advantage of users who may not realize support for Adobe Flash Player expired on Dec. 31, hackers have been using Google Alerts to promote a fraudulent Flash Player updater that installs other unwanted programs on their computers.
The threat actors create fake stories with titles containing popular keywords that Google Search indexes, according to a Sunday Bleeping Computer report. Once indexed, Google Alerts then notifies people who follow those keywords. When visiting the fake stories using a Google redirect link, the visitor lands on the threat actor's malicious site.
At first, the threat actors reportedly redirected users to web pages that pushed browser notification spam, unwanted extensions, or fake giveaways like from noted brands such as Amazon. However, over the weekend the threat actors were observed redirecting to a new campaign that tells users their Flash Player has become outdated and prompts them to install an updater.
But Adobe Flash Player reached its end-of-life late last year so there are no updates to be had.
The threat actors are “quite clever” in using Google Alerts as an attack vector, said Ray Kelly, principal security engineer at WhiteHat Security. Typically bad actors would execute this type of attack through a standard phishing campaign, he said. But since email spam/malware detection algorithms have gotten better, malicious emails don’t reach victims as easily.
“Using Google Alerts as the mechanism to deliver malicious links to a victim gets around these filters as most users will whitelist the Google Alerts address to ensure they get the alert content,” Kelly said. “From there, it’s a matter of creating a clever enough title to get a user to click on the link. This leaves the last line of defense the user and malware protection installed on their machine.”
Security teams should make users aware of emerging threats so that they remain vigilant and report any issues, added Javvad Malik, security awareness advocate at KnowBe4.
“They should ensure popup blockers and malicious domains are blocked, as well as ensure there’s endpoint protection installed that can block and report any attempts at installation of malicious or potentially unwanted software,” Malik said.