E. G. Weller 🦉Jan 30, 2023
Jérôme Segura

The #malvertising campaigns via Google Ads are not just about software downloads and scams. They also include phishing for popular password managers such as 1Password.

The differences are so subtle, most people will fall for it.

Real URL:
https://my[.]1password.com/signin
Phishing URL:
https://my1pasword[.]com/signin

Jan 30, 2023 at 5:13pmWeb
Show threadsyncopJan 30, 2023
@malwareinfosec Nice one.
Show threadSlayerranger/CrackamphetamineJan 30, 2023
@malwareinfosec epic data breach incoming!
Show threadMichael McAllister ♿Jan 30, 2023
@malwareinfosec You would think this would be fairly easy to stop. Google knows which password managers and services are popular.
Show threadTomJan 31, 2023
@ThatMichaelM @malwareinfosec Why would they want to? The fake ad force 1password to buy an ad, and pay even more to be first, which increase further the price of those keywords!
Show threadPeter Drake HAS MOVEDJan 30, 2023
@malwareinfosec That's just vicious.
Show threadSudo Sudo Sudo ⒶⒺⓋJan 30, 2023
@malwareinfosec as I continue to shout for more MFA adoption when and where I can. Go vegan too 🏴‍☠️👹🪩
Show threadAlexanderJan 30, 2023
@malwareinfosec that only goes to show that you should not search for your common web tools with google
Show threadMisuse CaseJan 31, 2023
@alexlehm @malwareinfosec Or at least never click the results marked “Ad” in Google.
Show threadAlexanderJan 31, 2023
@MisuseCase yes, my uncle downloaded his iTunes update once via a Google "Ad" and I spend hours cleaning up his computer afterwards
Show threadreaply Pop&NetBSD🚩Jan 30, 2023

@malwareinfosec

Thank you for sharing this. This is another reason why:

1) Content blockers are great that elitment these ads so that you are limited to the susceptible malicious features

2) Why Google as a search engine should be taken less and less seriously and alternatives should be sought after. Google search results have been controlled and quality has been declining.

Show threadAndreas FinkJan 30, 2023
@malwareinfosec the issue starts with url bar = search bar. If i type apple.com i want to load apple.com not search google for appke.com to then stumble on fakeapple.com etc
Show threadThe Spoonless KitchenJan 30, 2023
@afink @malwareinfosec Then take Google out of your search engine list, and deselect the preference to complete or correct URLs.
Show threadCitizenZJan 31, 2023
@thespoonless @afink @malwareinfosec that’s great and all but try telling that to EVERYONE USING GOOGLE!
Show threadyetztJan 31, 2023
@afink @malwareinfosec when you search for something programming related and it turns out it's one of those new top level domains, like .app, .map, .data, .open, .next, .storage, .read...
Show threadAlex RJan 31, 2023
@afink @malwareinfosec people don’t type URLs regardless – most people I observe always just search for '1Password' (or whatever the name of the site they’re looking for it) and hit the top search result (which is, of course, an ad).
Show threadCybersecurity LawyerJan 30, 2023
@malwareinfosec @dave
Show threadJay TownsendJan 30, 2023
@malwareinfosec if you find any more Phishing urls send them to me and will create a suricata rule for them all
Show threadcandycaneannihalatorJan 31, 2023
@malwareinfosec money makes one blind?
Show threadijk64✅Jan 31, 2023
@malwareinfosec that’s pretty unacceptable
Show threadwikiyuJan 31, 2023
@malwareinfosec to be honest? I am sorry for users not for company... that plays that way also: when you type "bitwarden" into google... first ad is 1Password
Show threadCharlotte /Cinny     Jan 31, 2023
@malwareinfosec more reasons for deploying adblockers company wide
Show threadIan MortimerJan 31, 2023
@malwareinfosec To think phishing would never become this sophisticated will be a downfall of my (50-something yo) peers. It was always coming.
Show threadMichael Fey Jan 31, 2023
@malwareinfosec @epixoip Yep, that is some insidious bullshit.
Show threadDry as toastJan 31, 2023
@malwareinfosec Time and time again media companies opt for short term, profits over long-term viability. Spam has destroyed email, telephony, and social media platforms. It engenders mistrust in a given media, and renders it all but unusable due to the sheer volume of untrustworthy encounters users experience.
Show threadeons Luna (Eonity)Jan 31, 2023

@malwareinfosec This, again, is why ad blockers are a necessity.

And yet Google is trying to cripple ad blockers, just for the sake of their profit.

Show threadScott WeintraubJan 31, 2023
@eonity @malwareinfosec lets make a deal with google: they can stop ad blockers if they accept 100% liability for any negative outcomes.
Show threadKevin ReuningJan 31, 2023
@malwareinfosec this is terrifying
Show threadgullevek ⚛️Jan 31, 2023
@malwareinfosec What we learn from this. Stop using google. Google is cancer.
Show threadShadowJan 31, 2023
@malwareinfosec That's why people should always run ad and script blockers.
Show threadRachel GreenhamJan 31, 2023

@malwareinfosec yikes. I might have fallen for that. think I'll keep not using google and keep my adblockers enabled...

(as in, I don't think I *have* fallen for it, but I can see how I might be fooled if in a hurry)

Show threadEmelia 👸🏻Jan 31, 2023
@malwareinfosec is it possible to hold google liable for running ads like these that put people at risk?
Show threadBrian Hutchison ✔Jan 31, 2023
@malwareinfosec Google says they believe in “don't be evil” but facilitating is okay as long as it brings in the cash flow.
Show threadRobJan 31, 2023
@malwareinfosec adblocking is self defense.. again and again.
Show threadNicholas WeaverJan 31, 2023
@malwareinfosec
It really is remarkable how Google STILL gets away with this shit without being liable for the nuisance they created.
Show threadDaniel MorganJan 31, 2023
@malwareinfosec 'but there was a lock icon in the URL bar!' --most folks that Google trained for years to look for that ssl lock
Show threadJenny S-TJan 31, 2023
@malwareinfosec @OCRbot
Show threadJenny S-TJan 31, 2023
@malwareinfosec #Alt4me
Show threadStephen Jan 31, 2023
@jennyst @malwareinfosec First Image: A google search for '1password' with the top two ad results highlighted, the first being marked as the 'Real' 1password website, the second 'Fake' site 'startonepassword dot com'
Second Image: A compilation of two screenshots, top and bottom. At the top, the real my.1password.com site login page. At the bottom, a fake website which looks nearly identical, but with a blue text box reminder to use a secret key from the emergency kit
#Alt4You
Show threadLoganJan 31, 2023
@malwareinfosec @hacks4pancakes remind me again, what’s the best way to report stuff like this? Is there a threshold of reports before the lists are updated? Do the browsers main separate lists that block phishing or hacked domains?
Show threadnekoJan 31, 2023
@malwareinfosec Thanks 1.1.1.1
Show threadRichard StocksJan 31, 2023
@malwareinfosec @neilhimself We helped triage an incident set off by someone doing a Google search for the Zoom installer. Top search result was a fake site with malware dropper.
Show threadANN07064061Jan 31, 2023
@malwareinfosec Looks like a typosquatting domain. It's especially dangerous on mobile because typos are more likely to happen on a "onscreen keyboard" than a physical keyboard.
Show threadmkalinaFeb 1, 2023
@malwareinfosec ...and in addition, I guess we can all agree that when you offer a service like @1password you do buy all subdomains as concatenated domains (is this the right word?) as in your example.
Show threadNick BaxFeb 2, 2023
@malwareinfosec Honestly this is why I don’t like in browser password managers. It’s much harder to get fished if you’re switching to an app, especially if you’re used to authenticating via biometrics most of the time.
Show threadSteve WildsmithMar 17, 2023

@malwareinfosec that's pretty bad, and with a few simple rules Google could reject bogus ads like that.

I'm not seeing it when I search, so I guess it's been taken down already.

I also think domain name services should bear the blame for a lot of this shite. 1pasword.com should never have been registered. Again, something that a bit of simple AI could block.