Cybercriminals frequently exploit Google Ads to promote malicious websites, pushing them to the top of search results. A recent example involves a fraudulent Homebrew website designed to steal personal data, browsing history, login credentials, and even banking information from unsuspecting Mac users.
This malicious campaign, initially identified by Ryan Chenkie on X (formerly Twitter) and reported by BleepingComputer, employed a deceptive tactic: the Google Ad displayed the legitimate Homebrew URL (brew.sh), making it nearly impossible to detect the fraud before clicking.
Users who clicked the ad were redirected to a fake site hosted at “brewe.sh,” a subtle yet crucial difference. Fortunately, Google swiftly removed the ad after being alerted. However, the incident raises concerns about how such deceptive ads can bypass Google’s safeguards.
This tactic, known as “URL cloaking,” allows malicious actors to deceive both users and Google’s review systems. According to BleepingComputer, these actors create numerous accounts and manipulate text to mask the true destination URL. This sophisticated approach makes it challenging for Google to detect and prevent such attacks.
The complexity of this scheme suggests a significant effort by cybercriminals, highlighting the difficulty Google faces in addressing this issue. The company is reportedly scaling up its automated systems and human review processes, a costly endeavor, to combat these malicious campaigns.
URL cloaking proves particularly effective against technically savvy users, like those who use Homebrew, a package manager for macOS and Linux. These individuals are less likely to fall for obvious URL discrepancies, making cloaking a potent tool for targeting them.
Security researcher JAMESWT identified the infostealer used in this campaign as AmosStealer (also known as Atomic), a macOS-specific malware. Written in Swift, this malware targets both Intel and Apple Silicon Macs and is sold on a subscription basis for $1,000 per month.
To protect yourself from such threats, vigilance is key. Always verify the displayed URL before clicking on an ad and double-check the website’s URL after it loads, paying close attention to even single-character variations.
A simple yet effective strategy is to avoid clicking on Google Ads altogether. When searching for a specific website, the official link will appear in the organic search results. Alternatively, if an ad piques your interest, search directly for the company or product instead of clicking the ad.
Finally, consider exploring privacy-focused search engines like DuckDuckGo or Qwant (in Europe) for a more secure online experience.
This incident underscores the importance of online safety and the ongoing battle against increasingly sophisticated cyber threats. By staying informed and adopting proactive measures, users can significantly reduce their risk of becoming victims of these malicious campaigns.
