Google is still struggling to keep cybercriminals from running malicious ads on its search platform. The search engine giant’s users continue to be tricked into downloading dangerous versions of popular free software applications. These malicious ads appear at the top of search results, even before legitimate links to the same software. This raises concerns about searching for software on Google.
Google claims that user safety is a top priority, and they have a dedicated team enforcing abuse policies around the clock. While the threat from bad ads leading to malware has reduced compared to a year ago, new examples of these ads leading to malware are still common.
An example of misleading ads displayed for the free graphic design program FreeCAD was found earlier this week. The “Sponsored” ad at the top claimed to offer the software, but the link directed to a malicious website at freecad-us[.]org. This site is registered in the Netherlands and is the newest of over 200 similar domains that deceive users into downloading backdoored software.
The domain is one among the many that appear provoking users to visit the site. Often, the hosted malicious content may not be displayed immediately but might be cycled into display for a brief period, making it challenging to track and take action against.
While Google has taken action against some of the domain’s malicious activity, other domains continue to be active. The company says it removed 5.2 billion ads in 2022 and restricted over 4.3 billion ads, claiming that maintaining ad safety is a priority.
The ongoing malicious ad campaign, known as MalVirt, remains a mystery in terms of attribution and motives. Google’s Ad Transparency tools did not reveal much about the culprits orchestrating these campaigns. However, Sentinel One’s report suggests that the surge in malicious ads spoofing various software products led to increased malware infections from trojans like IcedID, Redline Stealer, Formbook, and AuroraStealer. This campaign is showing lower volume compared to a year ago, but it’s clear that cybercriminals are employing sophisticated methods to bypass Google’s protection.
Although Google has taken steps to address these issues, it remains unclear why the company has not taken more decisive action to block these malicious domains or remove them from its search index entirely. This highlights the ongoing challenge and the cat-and-mouse game between Google and cybercriminals.