FBI warns of search engine ads pushing malware, phishing


Level 78
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.

In today's public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search result pages and link to sites that look identical to the impersonated company's website.

"When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result," warns the FBI.

"These advertisements link to a webpage that looks identical to the impersonated business's official webpage."

When searching for software, the FBI says advertisements will link to websites with a download link to software named after the impersonated application.

The FBI advisory also warns about ads promoting phishing sites that imitate finance platforms and, more specifically, cryptocurrency exchange platforms that invite visitors to enter their account credentials.

Once credentials are entered on these phishing sites, they are stolen by threat actors who use them to steal funds or sell them to other threat actors.

BleepingComputer recently helped reveal a massive typosquatting campaign using over 200 websites impersonating software projects, cryptocurrency exchanges, and wallet platforms to push Windows and Android malware.

Earlier in the year, a site impersonating the GIMP image editor used malvertising to drop the Vidar info stealer on its unsuspecting visitors.

In another case from March 2022, operators of the Mars stealer abused Google Ads to promote a malicious Open Office lookalike site to distribute their malware.

More recently, the SANS ISC disclosed an AnyDesk malvertising campaign on Google Search that dropped IcedID malware instead of the popular remote desktop app.
How to protect yourself

The most crucial precaution when looking for something online is not to click on the first thing that appears on the search results without checking its URL.

As the first few results on a given search term are usually promoted ads, it is safer to skip them and scroll down until you see the project's official website search result and use that instead.

"While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link," warns the FBI.

Furthermore, even checking the link may only sometimes help, as threat actors can create advertisements to display a legitimate URL but redirect users to cloned sites under the attacker's control.

Another recommendation is to use ad-blockers, which filter out promoted results on Google Search.

If you visit a website frequently, it would be better to bookmark its URL and use that to access it instead of searching for it every time.


Level 85
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware​

After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. This IcedID variant is detected by Trend Micro as TrojanSpy.Win64.ICEDID.SMYXCLGZ.

Advertising platforms like Google Ads enable businesses to display advertisements to target audiences for the purpose of boosting traffic and increasing sales. Malware distributors abuse the same functionality in a technique known as malvertising, wherein chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users to downloading malware.

In our investigation, malicious actors used malvertising to distribute the IcedID malware via cloned webpages of legitimate organizations and well-known applications. Recently, the Federal Bureau of Investigation (FBI) published a warning pertaining to how cybercriminals abuse search engine advertisement services to imitate legitimate brands and direct users to malicious sites for financial gain.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.