Google-hosted Malvertising; Clever punycode tricks experts to visit fake Keepass site

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,450
Google-verified advertiser + legit-looking URL + valid TLS cert = convincing look-alike.

1697712475649.png


[...] there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open-source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which when viewed in an address bar appears to be the genuine Keepass site.

A closer link at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info —at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which it turns out, is pushing a malware family tracked as FakeBat.

1697712174726.png



Story via Google-hosted malvertising leads to fake Keepass site that looks genuine
Malwarebytes - Clever malvertising attack uses Punycode to look like KeePass's official website
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top