Kinsta Phishing: Hackers Exploit Google Ads

In an email notification, Kinsta shares that cybercriminals use Google Ads as the primary vector for their phishing attacks. These attackers specifically target individuals who have previously visited Kinsta’s official websites. They craft fraudulent websites that closely mimic Kinsta’s own, cunningly enticing users to click on them.

The email from Kinsta states:

The Impact

This incident highlights a broader trend of cybercriminals exploiting Google Ads to deceive users and compromise their security. I’ve reviewed the first massive case of 2023 back in January, though similar phishing ads kept appearing for the whole year. Recent examples include deceptive ads masquerading as legitimate pages for Amazon. Clicking on these ads redirected users to tech support scams.

The primary objective was to lure users into entering their Kinsta login credentials on the fake website. Once stolen, attackers could exploit these credentials to gain access to users’ WordPress websites, potentially causing serious damage. This could include:

• Sensitive information stored on compromised websites, such as customer data, financial details, and intellectual property, could be exposed.
• Attackers could inject malicious code into compromised websites, redirecting visitors to phishing sites or spreading malware further.
• The website’s content could be defaced or replaced with malicious messages.
• Access to payment gateways or sensitive financial information could lead to financial losses for users or their clients.
• A successful phishing attack could damage Kinsta’s reputation by casting doubt on its security measures and leading to user distrust.

Phishing increases with Google Ads

Google Ads, a widely used advertising platform, has unfortunately become an increasingly popular tool for hackers and cybercriminals. These individuals and groups are exploiting the platform’s reach and visibility to carry out various malicious activities.

Several websites advertised fake downloads for popular software including Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave through Google Ads.

Protecting Against Phishing Threats

Kinsta emphasizes the malicious nature of these sponsored websites. Also, strongly advises users to exercise extreme caution when dealing with any links. These links should lead directly to the official kinsta.com or my.kinsta.com domains. The company also urges users to enable two-factor authentication (2FA) on their accounts to enhance security measures further.

To protect against these threats, it is crucial to exercise caution when interacting with online ads. Always verify the URLs of the websites you visit and refrain from clicking on suspicious links or sharing login credentials in response to unsolicited messages. To be completely sure that you follow a proper link, avoid clicking any ads in Google Search, using regular results instead.

Use reliable anti-malware software with network protection features. We highly recommend GridinSoft Anti-Malware because it is a fast, lightweight and highly effective solution that can effectively counter a wide range of threats. You can explore its features during the 6-day free trial period.

The post Kinsta Alerts About Phishing Campaign on Google Ads appeared first on Gridinsoft Blog.

CPU-Z Malware in the WindowsReport Page Clone

Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z program. For better disguise, the malware was hosted on a clone site of the real news site WindowsReport. As the presence of the official site for the product is not that obvious for users, such a trick was quite effective.

By clicking on such an advertisement, the victim goes through a series of redirects that fooled Google’s security scanners and filtered out crawlers, VPNs, bots, etc., redirecting them to a special decoy site that did not contain anything malicious.

Users ended up on a fake news site hosted on one of the following domains:

• argenferia[.]com;
• realvnc[.]pro;
• corporatecomf[.]online;
• cilrix-corp[.]pro;
• thecoopmodel[.]com;
• winscp-apps[.]online;
• wireshark-app[.]online;
• cilrix-corporate[.]online;
• workspace-app[.]online.

The result of these manipulations is the chain attack, initiated with FakeBat malware. Further, this loader injects well-known RedLine infostealer – an old-timer of the scene.

What is RedLine Infostealer?

Downloading the CPU-Z installer from the attackers’ resource resulted in the download of an MSI file containing a malicious PowerShell script, which the researchers identified as the FakeBat malware loader (aka EugenLoader). This downloader extracted the Redline payload from a remote URL and launched it on the victim’s computer.

Redline is a powerful data theft tool that can steal passwords, session tokens, cookies, and vast amounts of other stuff. We have a dedicated article with the complete tech analysis of this malware – consider checking it out.

Earlier, we wrote about how cybercriminals distribute RedLine infostealer. It uses sites for downloading the fake MSI Afterburner utility. To distribute it, various domains were also used as part of the hacker campaign, which could be mistaken by users for the official MSI website. The imitation of brand resources was done quite well.

According to Google representatives, all malicious ads associated with the hacker campaign to distribute the infected CPU-Z tool have now been removed, and appropriate action has been taken against the accounts associated with them.

This is not the first time that hackers have used Google Ads

This exact malvertising campaign was discovered by analysts, who believe it is part of a previously observed campaign of a similar purpose. Previously, the attackers used fake Notepad++ advertisements to deliver the malware.

In the ads, the attackers promoted URLs that were clearly not associated with Notepad++, and used misleading titles in their ads. Since headers are much larger and visible than URLs, many people likely didn’t notice the catch.

Let me remind you that we talked about how malware operators and other hackers are increasingly using Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Slack, Grammarly, Dashlane, Audacity, and dozens of other programs.

The post Malicious CPU-Z Copy Is Spread In Google Search Ads appeared first on Gridinsoft Blog.