We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails.
Threat actors continue to abuse and impersonate brands, posing as verified advertisers whose only purpose is to smuggle rogue ads via popular search engines. In this blog post, we review a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.
A Google search returned an ad that looked completely trustworthy. Yet, it redirects victims to a malicious site that first collects their address, credit card details and, requires them to log into their bank account for verification.
This elaborate phishing scheme is a reminder that malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands.
Malicious ad looks 100% legitimate
This malvertising campaign was first spotted by Jesse Baumgartner, Marketing Director at Overt Operator. In his LinkedIn post, he shares several screenshots of his experience while attempting to track a package and instead ending up on a scam website.
We were able to immediately find this same campaign by performing a simple Google search for “usp tracking”. Incredibly, the ad snippet contains the official website and logo of the United States Postal Service and yet, the “advertiser” whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it.
This fake advertiser had 2 different ad campaigns, one that appears to target Mobile and the other Desktop users:
Address verification and update just a trick to get banking credentials
One may wonder how threat actors are able to use the official URL in the ad and redirect victims to their own different website. The URLs shown in the ad are pure visual artifacts that have nothing to do with what you actually click on. When you click on the ad, the first URL returned is Google’s own which contains various metrics related to the ad, followed by the advertiser’s own URL. Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous.
Victims that click on the ad land on a website that asks them to enter their tracking number(s), just as they would expect it. However, upon submitting that information they receive an error stating “Your package could not be delivered due to incomplete information in delivery address.“
It is not unusual to receive this kind of notification either. Users are then asked to enter their full address again but also need to pay a small fee of 35 cents by submitting their credit card information. This is the first clue that there is something amiss here.
Victims are entering their credit card number into a phishing website. The small fee is completely irrelevant as there is much more damage that can be done by reselling this stolen data on criminal markets.
The final step consists of asking users to enter their credentials for their financial institution. The phishing page is dynamic and will generate a template based on the card number previously inputed. For example, here we have a VISA card and the associated bank is JP Morgan:
For a different card such as MasterCard, here’s the associated phishing page:
Falling for malvertising remains too easy
In the security field, we often speak about and recommend user education and training. When it comes to malvertising, awareness is important but training can only go so far. The example from this blog post shows why: malicious ads often look entirely legitimate and we can’t expect users to run queries on domain names and infrastructure to discern any malfeasance.
Brand impersonation is a huge problem and the solution to combat it starts with search engines applying stricter controls. When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot. Microsoft’s Bing has done that quite well for the most part and such a policy would have a drastic impact on the safety of millions of users.
Security vendors like Malwarebytes will continue to protect their users thanks to browser protection tools available for businesses and consumers. The malvertising killchain can be disrupted from the initial ad, all the way to the payload (malware, phishing or scam). Only a full protection suite with real time protection can target those critical distribution points.
We have reported this incident to Google and Cloudflare has already flagged the domains as phishing.
Indicators of Compromise (IOCs)
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.