In an unsettling revelation that underscores the potential vulnerabilities even in reputed platforms, Google has been discovered hosting a malicious advertisement that’s astoundingly convincing. The fraudulent ad masquerades as a promotion for the popular open-source password manager, Keepass. Adding to the credibility of the scam, clicking on the advertisement directs users to a website that appears to be the official Keepass site at first glance. This two-pronged scheme combines the trustworthiness attributed to Google’s ad platform and an almost identical URL to craft a near-perfect illusion.
The Sophistication of the Deception
On an initial inspection, the advertisement and the website it leads to seem entirely legitimate. The URL, ķeepass[.]info, appears genuine, especially when viewed in a browser’s address bar. However, on closer scrutiny, it’s evident that the website is fraudulent. The URL is an encoded representation of xn--eepass-vbb[.]info, which propagates a malware family known as FakeBat.
The encoding technique leveraged here is called punycode. This method allows for the incorporation of unicode characters into standard ASCII text. In this instance, it creates a subtle, easily overlooked comma-like figure below the ‘k’ in the URL. This little detail is even more challenging to detect when the URL is supported by a valid TLS certificate, as was the case here.
The Accountability of Established Platforms
The disturbing fact is that the fraudulent ads were sponsored by a verified advertiser, Digital Eagle, according to Google’s Ad Transparency Center. This raises critical questions about the robustness of the verification processes in place, even on platforms that command a high level of trust. Google has yet to respond to queries about this issue, although it has stated in the past that it takes down fraudulent ads as quickly as possible upon discovery.
No Foolproof Detection Yet
Unfortunately, there is no definitive mechanism to identify malicious Google ads or punycode-encoded URLs currently. All major browsers mislead the user to the imposter site when the URL is entered. While a manual inspection of the TLS certificate may offer some assurance, this method is not always feasible for lengthy URLs.
Towards a More Secure Future
In an era where technological advancements are enabling increasingly sophisticated cyber threats, businesses and individuals alike must cultivate a culture of heightened vigilance. More than ever, it’s vital to exercise caution and scrutinize every interaction, no matter how trustworthy the source may appear.
