Supply chain, Malware

Researchers track worrying jump in ‘malvertising’ targeting Google ads

A multi-colored Google Cloud logo is seen

Researchers from Spamhaus Technology said in a Feb. 2 post that they have seen a massive spike in malvertising — or malicious advertising — activities abusing Google search ads over the past few days.

"Threat researchers are used to seeing a moderate flow of malvertising via Google Ads. However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malwares being utilized. This is not the 'norm,'" the post warned.

The surge comes after malicious actors impersonated well-known brands such as Adobe Reader and Microsoft Teams to deliver numerous malware strains, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer and Vidar.

Roman Hüssy, founder of the open source threat intelligence initiative abuse.ch, said he suspects that a threat actor has recently started selling malvertising-as-a-service on the dark web, attracting a large audience of buyers. Specifically, he said that his team observed different infrastructure used for the ads and that in some cases, researchers observed the exact same search terms directing users to different malware families, all indicators of a likely malvertising-as-a-service operation.

The Spamhaus Project's domain expert, Carel Bitter, questioned why Google Ads approved ads linking to new domains, given that the newly registered domains are always associated with a higher security risk, though he admitted his expertise lies in domains, not the ins and outs of Google Ads’ security protocols.  

In a statement sent to SC Media, a Google spokesperson would only say the company is aware of the issue and is working to resolve the incidents "as quickly as possible." They did not respond to follow up questions about how or why the ads were approved in the first place.

Spamhaus is one of multiple research firms to uncover recent evidence that flaws in Google’s advertising approval process are being exploited by malicious actors. Researchers from SentinelOne detailed a stealthy Google malvertising campaign using KoiVM virtualization technology to evade detection.

Aleksandar Milenkoski, senior threat researcher at SentinelOne, noted that the increasing use of alternative malware distribution methods to Office macros, such as malvertising, is due to Microsoft's security move of blocking macros embedded in documents downloaded from the internet.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.