Google's ad network was found to deliver malicious advertising that could end up with the theft of users' identity details (opens in a new tab) and other sensitive information.
The hackers allegedly tricked Google Ad Manager into displaying a fake ad for the popular GIMP photo editor, meaning those who wanted to download the program ended up with a powerful data stealer named Vidar.
Whenever a victim entered "GIMP" or a similar keyword into the Google search engine, they were presented with, among other things, an advertisement displaying the official GIMP website: GIMP.org. However, clicking on the ad would not send the victim to that particular domain, but to gilimp.org or gimp.monster. There they would be offered to download a 700MB file, a large executable that is actually only 5MB: Vidar's Information Stealer.
cheat the system
How this was possible is still not entirely certain. While some researchers believe that the threat actor used IDN's homographic technique to make Cyrillic appear gіmp.org, written as http://xn--gmp-jhd.org/, as gimp.org in the Latin alphabet Others are of the opinion that the trick is actually much less elaborate.
In fact, BleepingComputer reports that Google allows publishers to create ads with two different URLs: one to serve viewers, and one where they'll actually be taken. Apparently Google is pretty strict about these things, for example only allowing those who use the same domain. It is unknown how or why Ad Manager allowed this particular campaign to run. Google is still silent on the matter, and we will update the article if the search giant decides to elaborate.
Vidar is a known data stealer capable of stealing (opens in a new tab) browser information (passwords, cookies, stored credit card information, etc.), cryptocurrency wallet information, Telegram credentials, application information file transfer and many other sensitive data.
Going by. BleepingComputer- opens in a new tab