• All Articles

News Update! How to detect Facebook and Google malicious ad campaigns

By Anna

August 22, 2024

News Update! How to Detect Facebook and Google Malicious Ad Campaigns

In this edition of AdSecure’s Malvertising news update we will take a look at 3 different malicious advertising approaches, all exploiting the vulnerabilities of popular advertising platforms such as Facebook and Google Ads. Some of them have remained undetected, running rogue for several years in a row, infecting end users’ devices and stealing their sensitive information, or even selling it to other malicious third parties. Read to find out about them, how to detect Facebook and Google malicious ad campaigns and how to stop them with AdSecure!

Leader of international Malvertising schemes charged for long duration Ransomware and Scareware crimes

 
In the District of New Jersey, Malvertiser Maksym Silnikov, along with Cybercriminals Volodymyr Kadariya, and Andrei Tarasov, are charged with offenses associated with spreading the Angler Exploit Kit along with Malware, Scareware and other online scams to the devices of millions of unsuspecting internet users through Malvertising tactics in the US and worldwide, from October 2013 to March 2022. In the Eastern District of Virginia, Silnikov has been charged for creating and spreading Cartel Ransomware and associated Ransomware operations beginning in May 2021, including Angler Exploit Kit Malware. The Angler Exploit Kit Malware Malvertising attack campaigns were designed to look like legitimate ads, but often redirected end users to malicious websites or servers that downloaded Malware onto their devices. They defrauded several US based ad platforms into delivering the compromised ads using online personas to pose as legitimate advertisers. 

The Angler Exploit Kit Malware Malvertising attack targeted browser vulnerabilities and their associated plug-ins, making them the leading vehicle through which other Malvertisers delivered Malware onto compromised devices. The conspirators also enabled the delivery of Scareware ads claiming to have identified a virus or other issue with the targeted end user’s device, deceiving them into buying or downloading dangerous software, ironically containing viruses, or granting remote access to the device and disclosing personal sensitive information.

The Malvertising group used multiple strategies to profit from their widespread Malvertising and online fraud schemes. For instance, using predominantly Russian cybercriminal forums to sell to other malicious advertisers access to the compromised devices of end users. Also selling stolen information from victims such as banking and login details, to enable further efforts to defraud unsuspecting end users or deliver additional Malware to their devices. A prime example of why protecting your Ad Network against infoStealer Malware should be a main focus for you and your Compliance Team.

Google ads compromised with fake Malware infested Google Authenticator site 

Google Ads has once again fallen victim to Malvertising tactics, allowing malicious advertisers to promote bogus Google Authenticator ad campaigns riddled with DeerStealer information-stealing Malware. This is one of many instances over the years where Google has been targeted by bad actors in order to place ads impersonating well-known software sites that install Malware on unsuspecting end users’ devices. To make matters worse, the Malvertiser's identity is verified by Google, showing another weakness in the ad platform that Malvertisers abuse. 

The Malvertising campaign showed legitimate click URLs such as 'google.com' and "https://www.google.com", adding a sense of trust to the advertisement and making them more convincing. Once clicked, the URL redirects the end user to a malicious site which uses domains such as "chromeweb-authenticators.com", “authenticcator-descktop[.]com” and so on, all impersonating a genuine Google portal. Clicking on the 'Download Authenticator' button on the fake site downloads an executable file named "Authenticator.exe" which will then infect the end user’s device.

This strategy is known as URL Cloaking or Ad Cloaking, and has in the past infected platforms such as KeePass, Arc browser, YouTube, and Amazon. When asked how Malvertisers can launch ad campaigns posing as legitimate companies, Google said that threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites than a regular visitor would see. This is why, to detect Facebook and Google malicious ad campaigns and protect your Ad Network against infoStealer Malware can be more efficiently done by using an automated Malvertise scanning and removal software such as AdSecure, combined with an in-house Compliance Team.

Fake Facebook AI editor ads promote Malware: Clear your ad supply chain of InfoStealer attacks

 
Lastly, we bring you another example of why understanding how to detect Facebook and Google malicious ad campaigns is important for the end user, and why you should aim, as an Ad Network, to clear your ad supply chain of InfoStealer attacks​A Facebook Malvertising campaign targets end users searching for AI image editing tools and steals their login details by swindling them into installing fake edition apps and programs that pose as legitimate software. The Malvertisers exploit the popularity of AI image creation software by promoting malicious sites that mimic legitimate services, tricking them into downloading InfoStealer Malware onto their devices. 

The attacks start with Phishing DMs sent directly to Facebook page administrators, which will send them to fake account protection landings designed to trick them into providing their login details. After stealing their credentials, the Malvertisers hack into their accounts and take control of their pages, publish infected social media posts, and promote malicious Facebook advertising campaigns. ​Facebook users who click the URL on the fake ads are sent to a malicious landing page impersonating legitimate AI photo editing and generating apps, where they are prompted to download and install a software package, which is riddled with an ITarian remote desktop tool configured to launch a downloader that automatically deploys the Lumma Stealer malware. 

The Malware then quietly infiltrates the end user’s device, allowing the Malvertiser to collect sensitive information like credentials, cryptocurrency wallet files, browser data, and password manager databases. This data is then sold to other Malvertisers, or used by the original bad actor to compromise the victims' online accounts, steal their money, and run further attacks.

Conclusion: How to detect Facebook and Google malicious ad campaigns

Although a lot of Ad Networks have their own Compliance Team working hard to keep their ads clean, the human eye can sometimes miss certain tactics like Ad Cloaking, especially when big volumes of fake accounts are created simultaneously every single day. This is why Ad Networks can often fall victim to Malvertising attempts, failing to prevent Ransomware and Scareware crimes, especially when a robust Real-Time Ad Security system hasn’t been put in place. Here at AdSecure we can help you keep your ad supply chain free of such threats, helping you promote a secure and pleasant browsing experience for the end users: Get in touch with us to organize a meeting with our team and we will discuss how to detect Facebook and Google malicious ad campaigns, or why not sign up for a Free Trial now and protect your Ad Network against infoStealer Malware starting from this very moment?

 

Share this article on


Anna

Blog