A Malicious Google Ads Campaign Specifically Targets AWS Users

Researchers have spotted yet another malicious campaign that abuses Google Ads to steal people’s sensitive data, specifically Amazon Web Services (AWS) log-in credentials.

Experts from Sentinel Labs recently discovered a Google Ads campaign that advertised a malicious landing page that appeared near the top of the search engine’s results for the cloud giant.

People who would use Google’s search engine to search for “AWS” would see, ranked second, a malicious landing page that impersonated a vegan food blog.

Categorizing stolen data

Those heading to that site would then be prompted with a fake AWS login page, where, once entered, the information would be stolen.

Furthermore, the site prompted the victims to select if they were root or IAM users, helping crooks categorize the stolen credentials based on utility and value.

The attackers also added a JavaScript function that disabled right clicks, middle mouse buttons, and keyboard shortcuts, the researchers added, speculating that the feature was included to discourage victims from easily navigating away from the landing page.

Sentinel Labs discovered the campaign on January 30, 2023, and further investigation uncovered that the attackers were most likely Brazilian.

The researchers reported the attack to CloudFlare, which shut down the malicious account, but BleepingComputer claims the ads on Google are still active. We weren’t able to independently verify if that is still the case or if Google did its part in the meantime.

Cybercriminals constantly try to leverage Google’s ad network to deliver malware and steal people’s data. The search engine giant is generally perceived as trustworthy, making people less vigilant when clicking on search engine results. Last December, researchers from Malwarebytes spotted a campaign in which scammers used the traffic from an adult website to generate clicks on Google Ad banners, netting huge returns.

Via: BleepingComputer