Malicious
actors
are
using
Google
advertisements
and
SEO
tactics
to
entice
victims
into
clicking
on
links
poisoned
with
malware.
According
to
cyber
security
company
Secureworks,
malicious
actors
have
been
using
poisoned
ad
installers
as
trojans,
specifically
to
spread
Bumblebee
malware.
These
ad
installers
are
associated
with
a
number
of
well-known
companies
including
Zoom,
Citrix
Workspace,
Cisco
AnyConnect
and
OpenAI’s
ChatGPT.
For
example,
Secureworks
researchers
found
that
a
malicious
actor
had
not
only
created
a
poisoned
ad
installer
for
Cisco
AnyConnect,
but
a
fake
download
page
for
the
malware
as
well.
They
were
able
to
do
this
by
exploiting
a
compromised
WordPress
site.
Once
Bumblebee
malware
is
downloaded,
malicious
actors
most
often
use
it
to
launch
ransomware
within
the
infected
device.
In
one
case,
Secureworks
researchers
found
that
the
malicious
actor
moved
laterally
across
the
device,
downloading
and
launching
a
number
of
applications
and
software
programs
including
legitimate
remote
access
tools
AnyDesk
and
Dameware
as
well
as
penetration
testing
malware
Colbalt
Strike.
By
using
paid
Google
ads
as
well
as
SEO
tactics
in
their
fake
download
pages,
malicious
actors
are
able
to
ensure
that
their
Trojanized
and
poisoned
uploads
are
at
the
top
of
the
Google
search
results
page,
meaning
victims
are
more
likely
to
click
on
them.
An
example
of
this
was
seen
on
January
15,
2023,
when
a
cryptocurrency
and
NFT
influencer
known
as
NFT
God
said
that
their
“entire
digital
livelihood
was
violated”
after
hackers
gained
access
to
and
stole
“a
life
changing
amount
of
[their]
net
worth”
in
funds
and
NFTs
from
their
digital
wallet.
The
hackers
were
able
to
gain
access
to
their
funds
through
a
poisoned
ad
installer
masquerading
as
a
legitimate
video
streaming
software,
OBS.
Last
night
my
entire
digital
livelihood
was
violated.Every
account
connected
to
me
both
personally
and
professionally
was
hacked
and
used
to
hurt
others.Less
importantly,
I
lost
a
life
changing
amount
of
my
net
worth—
NFT
God
(@NFT_GOD)
January
15,
2023
After
downloading
and
attempting
to
run
the
software,
NFT
God
noticed
that
it
had
not
properly
installed,
but
dismissed
this
as
a
technical
difficulty.
In
actuality,
they
had
introduced
malware
to
their
device
which
allowed
malicious
users
access
to
their
social
media
accounts
and
digital
wallet.
Yesterday
afternoon
I
went
to
download
OBS
onto
my
personal
desktop
computer.OBS
is
industry
standard
video
streaming
software.
I
was
excited
to
live
stream
some
video
games
for
the
first
time
in
my
life.What
I
didn’t
realize
was
I
clicked
the
sponsored
link
on—
NFT
God
(@NFT_GOD)
January
15,
2023
According
to
NFT
God,
the
hackers
stole
“at
least
19
ETH,
worth
almost
US?$27,000
at
the
time,
a
Mutant
Ape
Yacht
Club
(MAYC)
NFT
with
a
current
floor
price
of
16
ETH
($25,000),
and
several
other
NFTs”.
To
prevent
falling
prey
to
poisoned
ads,
only
download
software
and
updates
from
trusted
sites
and
go
to
the
sites
directly
to
avoid
clicking
on
a
Trojanized
link.