Researchers have discovered another malicious campaign that uses Google Ads to steal sensitive user data – specifically Amazon Web Service (AWS) login credentials.
Sentinel Labs experts recently discovered a Google Ads campaign that advertised a malicious landing page that appeared at the top of the cloud giant’s search results.
People who googled for “aws” would see a malicious landing page in second place masquerading as (opens in a new tab) vegan food blog.
Categorization of stolen data
People going to this page will then be prompted for a fake AWS login page where information will be stolen upon entering.
In addition, the site encouraged victims to choose whether they were root users or IAM users, helping scammers categorize stolen credentials based on utility and value.
The attackers also added a JavaScript feature, disabling right-click, middle mouse button and keyboard shortcuts, the researchers added, speculating that this feature was included to discourage victims from easily leaving the landing page.
Sentinel Labs discovered the campaign on January 30, 2023, and further investigation showed that the attackers were most likely Brazilians.
The researchers reported the attack to CloudFlare, which shut down the malicious account, but Beeping Computer says Google Ads are still active. We have not been able to independently verify if this is still the case, or if Google has done its job in the meantime.
Cybercriminals are constantly trying to use the Google Display Network to deliver malware and steal user data. The search engine giant is widely perceived as trusted, which makes people less vigilant when clicking on search results. Last December, researchers at Malwarebytes uncovered a campaign where scammers used traffic from an adult website to generate clicks on Google banner ads, earning huge profits.
By: Beeping Computer (opens in a new tab)