Threat Actors Are Placing Ads On Google Search In New Phishing Attack Campaign
Security experts at Palo Alto have issued a warning regarding a new phishing attack campaign.
Threat actors are now resorting to including ads in places you’d least expect them such as between search results on Google. They’ll appear as an ad and if you end up clicking on them, you’ll be reaping the consequences, the experts warned.
The researchers from the company’s Unit 42 security division shared more details about the campaign that’s different from classic phishing attacks. They were first seen in June of this year.
Making the most of the GlobalProtect VPN brand, they decided to include ads on Google that linked to malicious pages. These imitated Palo Alto pages for Global Protect and enabled users to download disguised malware loaders. Amongst the most common ones included WikiLoader.
This can install more payloads, steal data, and give attackers greater access remotely.
The loader has been active for a while now and also keeps getting updated with more unique tricks and features since we last heard about it, the experts revealed.
Researchers feel many people are shifting from phishing towards delivery via SEO poisoning. This is the perfect example of this notion. For those who might not be aware, SEO poisoning means sites controlled by attackers show up on the front pages of searches instead of actual products. Hackers try to buy ads or improve the page rankings.
This is why experts at Palo Alto have issued a warning on this front as this scheme can broaden the scope linked to potential victims as organizations in the US higher education and transportation get impacted by Wikiloader.
We agree that the technique used here is nothing too unique, it’s still an effective means to deliver loaders to endpoints. Spoofing trusted software is likely to help in bypassing endpoints at companies that rely on such listings.
In the past, threat actors did make use of Wikiloaders for delivering banking trojans like Danabot to different companies in Italy. Attackers were using tricks to disguise themselves and prevent detection.
Sample files are taken from victims like GlobalProtect64 which was a renamed copy of real share trading apps used for sideloading the initial Wikiloader component. Moreover, the zip archive included close to 400 hidden files.
To ensure victims were tricked, malware displayed fake error texts stating DLL was missing after infections were complete. Other renamed software like Microsoft Sysinternals tool was disguised in installers to sideload any backdoor options.
To ensure command and control were still effective, they worked with compromised WordPress pages.
