Sam Stepanyan  🐘
#Google: Threat actor spreads malicious Google Authenticator (hosted by GitHub) by promoting it via Google ad as a 'Trusted Advertiser' verified by Google:
👇
https://www.malwarebytes.com/blog/cybercrime/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator
Threat actor impersonates Google via fake ad for Authenticator | Malwarebytes

Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

Malwarebytes
Jul 31, 2024 at 9:59pmWeb
Show threadJJul 31, 2024

@securestep9
The threat actor here is Google attacking Google on the Google platform (and causing harm to all of us). There's no reason why ads should be allowed to show fake URLs in a UI designed to resemble organic search results. NO FUCKING REASON.

Then, mouse-over doesn't help, because it's google.com.

Then, the redirect to github would raise a red flag, but does not because so many ads do this. And not only ads.

Show thread0xcebaJul 31, 2024

@__jz @securestep9

I agree that Google policies have created this attack vector. Looking at the Ads URL policies at https://support.google.com/google-ads/answer/6246601/ it looks like the display domain must == the landing page domain, so they're not directly showing fake URLs...

But Google famously doesn't consider open redirects as vulnerabilities (https://bughunters.google.com/learn/invalid-reports/web-platform/navigation/6680364896223232/open-redirectors) so I'm guessing this actor is using one of the many Google open redirects to forward from their landing page URL on google.com to their malicious domain.

About the different types of URLs - Google Ads Help

Ads you create using Google Ads have two URLs: a display URL and a landing page URL. With two URLs, you ca