Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries.
"Threat researchers are used to seeing a moderate flow of malvertising via Google Ads," volunteers at Spamhaus wrote on Thursday. "However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not 'the norm.'"
The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.
(Score: 4, Interesting) by Hyper on Wednesday February 08, @02:06PM
This has been the rule for the last two decades. Google maybe useful for finding the legit site to obtain software. Nothing else. Wikipedia is often better.
(Score: 3, Funny) by DannyB on Wednesday February 08, @02:58PM
If I think twice instead of once, that makes it safe to download software found by using Google.
That makes since. Otherwise why wood I need to think twice before downloading.
Got it!
How often should I have my memory checked? I used to know but...
(Score: 2) by bzipitidoo on Wednesday February 08, @03:42PM (2 children)
OBS? I don't know what OBS is. Let me Google ... uh, hang on, that's not safe? Crap, what are we going to do?
SAaay, you weren't trying to trick me, were you??
(Score: 2) by Freeman on Wednesday February 08, @07:35PM (1 child)
The issue is that people are being lazy and instead of searching google for OBS and going directly to OBS to download their software. They are just clicking a "download link" that google search provided. Which is what malvertisers are hijacking or whatever. I may have got lazy at the end of the explanation, but that's more or less it.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Insightful) by legont on Thursday February 09, @02:48AM
They are not hijacking. They simply advertise their links while Goode tries hard to make adds look like genuine search results. It doesn't have to be download link either.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1) by ShovelOperator1 on Wednesday February 08, @05:04PM (5 children)
So when Microsoft will come with the solution?
And will the solution be to forbid running applications from sources which are not paying MS, effectively preventing users from creating and exchanging free software?
Because the fake download links in Google are the plague since early 2010s, and all attempts to show the problem in the media always ended with "you got what you seen" response. Now, there's a difference - someone did the research and someone is re-publishing it without such response. Maybe corporations want to "fix" the problem?
(Score: 4, Informative) by EJ on Wednesday February 08, @05:43PM (4 children)
The solution is the same as it's always been: Don't be dumb.
This is not a new phenomenon. Even before computers, we had door-to-door solicitors. We've had scammers since the beginning of time. If you want to only run software you completely trust, then only run software you write yourself. Anything else is you putting your trust in someone else. Why should you trust Microsoft more than Google?
The "best" thing to do is to get the software you want directly from the vendor. Even then, you need to be careful that you don't end up on a typo-squatting site. Just be extra-vigilant in your software acquisition activities.
Locking down PC software is the worst possible idea.
(Score: 2) by Freeman on Wednesday February 08, @07:29PM
Locking down PC software == Apple / Macintosh
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by legont on Thursday February 09, @02:52AM (2 children)
To directly go to a vendor, one has to find the vendor somehow. Search engine was invented for this, isn't it?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Insightful) by maxwell demon on Thursday February 09, @04:44AM (1 child)
The crucial point is that finding the vendor and verifying that it is indeed the vendor you found are two separate steps. The search engine can help you with the first, but not with the second.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by legont on Thursday February 09, @03:31PM
Sure it can help with the verification. There are certificates out there.
Meantime search engine serves adds linked to fake sites. They accepted payments for the criminal activity which is a crime in pretty much any book.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Wednesday February 08, @09:33PM
"there are no Fnords in the advertisements"
(Score: 3, Funny) by maxwell demon on Thursday February 09, @04:47AM (2 children)
I don't use Google to download software, I use Firefox. I guess I'm safe then. :-)
Well, actually most of the time I'm using my distribution's package manager.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Freeman on Thursday February 09, @02:33PM (1 child)
Depends on, if you're using Google or Duck Duck Go as your search engine. That said, a distribution's package manager isn't infallible either. There's just a lot less money to be had for malware writers to try and get a bad package in a distribution.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by maxwell demon on Thursday February 09, @06:58PM
Of course nothing is infallible. I remember from back when CD-ROMs were common, that once a CD-ROM for an antivirus was infected with a virus …
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Interesting) by Anonymous Coward on Thursday February 09, @08:19AM
I do use ublock, virustotal, dns over https and my brain though.
For example, if according to VirusTotal the software was first seen in 2016 and from 2016 till now none of the AV bunch or the community think it's malware then even if it's malware it's probably targeted malware, and unless you're one of the targets[1] you are unlikely to be affected by it.
If you're worried install it in a sandboxed VM.
[1] If you don't know what I mean by target you probably aren't a target or you're gonna get pwned eventually anyway.