The FBI warns that threat actors are using search engine advertisements to promote websites that distribute ransomware or to steal login credentials from financial institutions and crypto exchanges.

In today’s public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search results pages and link to sites that appear identical to the website of the impersonated company.

“When a user searches for this business or service, these advertisements appear at the very top of search results with minimal distinction between an advertisement and an actual search result,” notify the FBI.

“These ads link to a webpage that appears identical to the official webpage of the impersonated company.”

When searching for software, the FBI indicates that advertisements will link to websites with a download link to software named after the spoofed application.

The FBI advisory also warns against ads promoting phishing sites that mimic financial platforms and, more specifically, cryptocurrency exchanges that prompt visitors to enter their account credentials.

Once credentials are entered on these phishing sites, they are stolen by malicious actors who use them to steal funds or sell them to other malicious actors.

BleepingComputer recently helped reveal a massive typosquatting campaign using over 200 websites impersonate software projects, cryptocurrency exchanges, and wallet platforms to push Windows and Android malware.

Earlier in the year, a site impersonate the GIMP image editor used malicious advertising to drop the information stealer Vidar on its unsuspecting visitors.

While these ads appeared to promote the gimp.org website, as seen below, they redirected users to another malware-delivering site.

In another March 2022 case, Mars Rogue operators abused Google Ads to promote malware Site similar to Open Office to distribute their malware.

More recently, the SANS ISC disclosed a Malicious Advertising AnyDesk campaign on Google search that removed the IcedID malware instead of the popular remote desktop application.

How to protect yourself

The most crucial precaution when looking for something online is not to click on the first thing that appears on the search results without checking its URL.

As the first results on a given search term are usually promoted advertisements, it is safest to ignore them and scroll down until you see the official search result for the project website and the website. use instead.

“Although search engine advertisements are not malicious in nature, it is important to exercise caution when accessing a webpage through an advertised link,” warns the FBI.

Moreover, even verifying the link can only sometimes help, as threat actors can create advertisements to display a legitimate URL but redirect users to cloned sites under the control of the attacker.

Another recommendation is to use ad blockers, which filter promoted results on Google Search.

If you visit a website frequently, it would be better to mark its URL and use that to access it instead of searching for it every time.