Researchers from Spamhaus Technology said in a Feb. 2 post that they have seen a massive spike in malvertising — or malicious advertising — activities abusing Google search ads over the past few days.
"Threat researchers are used to seeing a moderate flow of malvertising via Google Ads. However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malwares being utilized. This is not the 'norm,'" the post warned.
The surge comes after malicious actors impersonated well-known brands such as Adobe Reader and Microsoft Teams to deliver numerous malware strains, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer and Vidar.
Roman Hüssy, founder of the open source threat intelligence initiative abuse.ch, said he suspects that a threat actor has recently started selling malvertising-as-a-service on the dark web, attracting a large audience of buyers. Specifically, he said that his team observed different infrastructure used for the ads and that in some cases, researchers observed the exact same search terms directing users to different malware families, all indicators of a likely malvertising-as-a-service operation.
The Spamhaus Project's domain expert, Carel Bitter, questioned why Google Ads approved ads linking to new domains, given that the newly registered domains are always associated with a higher security risk, though he admitted his expertise lies in domains, not the ins and outs of Google Ads’ security protocols.
In a statement sent to SC Media, a Google spokesperson would only say the company is aware of the issue and is working to resolve the incidents "as quickly as possible." They did not respond to follow up questions about how or why the ads were approved in the first place.
Spamhaus is one of multiple research firms to uncover recent evidence that flaws in Google’s advertising approval process are being exploited by malicious actors. Researchers from SentinelOne detailed a stealthy Google malvertising campaign using KoiVM virtualization technology to evade detection.
Aleksandar Milenkoski, senior threat researcher at SentinelOne, noted that the increasing use of alternative malware distribution methods to Office macros, such as malvertising, is due to Microsoft's security move of blocking macros embedded in documents downloaded from the internet.