this post was submitted on 19 Oct 2023
164 points (97.7% liked)

Technology

34874 readers
57 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
 

archive

Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open-source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which when viewed in an address bar appears to be the genuine Keepass site.

A closer link at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info —at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near perfect storm of deception.

“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam.

Information available through Google’s Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

Google representatives didn’t immediately respond to an email, which was sent after hours. In the past, the company has said it promptly removes fraudulent ads as soon as possible after they’re reported.

The sleight of hand that allowed the imposter site xn--eepass-vbb[.]info to appear as ķeepass[.]info is an encoding scheme known as punycode. It allows unicode characters to be represented in standard ASCII text. Looking carefully, it’s easy to spot the small comma-like figure immediately below the k. When it appears in an address bar, the figure is equally easy to miss, especially when the URL is backed by a valid TLS certificate, as is the case here.

The use of punycode-enhanced malware scams has a long history. Two years ago, scammers used Google ads to drive people to a site that looked almost identical to brave.com, but was, in fact, another malicious website pushing a fake, malicious version of the browser. The punycode technique first came to widespread attention in 2017, when a Web application developer created a proof-of-concept site that masqueraded as apple.com.

There’s no sure-fire way to detect either malicious Google ads or punycode encoded URLs. Posting ķeepass[.]info into all five major browsers leads to the imposter site. When in doubt, people can open a new browser tab and manually type the URL, but that’s not always feasible when they’re long. Another option is to inspect the TLS certificate to make sure it belongs to the site displayed in the address bar.

all 17 comments
sorted by: hot top controversial new old
[–] maeries@feddit.de 63 points 1 year ago (1 children)

Dear google, if you want me to disable my adblocker, maybe don't do stuff like that

[–] dan1101@lemm.ee 9 points 1 year ago

Yes on the rare occasions I browse without ad blockers I see so much slimy deceptive crap. Curate your ads or don't have ads.

[–] Moonrise2473@feddit.it 23 points 1 year ago (2 children)

I also blame the genius that allowed punycode in URLs

There's no legitimate usage

[–] ShortN0te@lemmy.ml 16 points 1 year ago (2 children)

I would call this actually ignorance. There are other languages then english. Other languages have (even with the roman alphabet) have special characters that are not supported without punycode. For example âäàáßœöō. Workaround exists for a lot of those but without punycode you would be leftout when younhave on of those character ind you name,cityname,companyname.

Punycode has is problems in the URL and if jt is just the point that not every piece of software understands it but it allows for more domain names to choose from when youn have a special character in you family name.

[–] Moonrise2473@feddit.it 17 points 1 year ago (1 children)

My language has a lot of accented letters yet I never once in my life saw a legit domain with accented letters. If the company name is "mi piace la pèsca perché è bella" we just register "mipiacelapescapercheebella.it"

The local nic also forbids to register any domain that starts with xn--

I traveled in many asian countries and I never encountered a domain in hanzi/kanji/hanja

[–] amju_wolf@pawb.social 5 points 1 year ago (1 children)

In most languages that's not an issue though.

So what, we can't use diacritics. Everyone still understand the words perfectly fine and it prevents issues like this.

If some languages really need it (like maybe non-latin based alphabets) they can use it only for their domains?

[–] Sondermotor@lemmy.world 1 points 1 year ago

So what, we can't use diacritics. Everyone still understand the words perfectly fine and it prevents issues like this.

The other day I came across vaxer.stockholm. I was shocked and appalled when it dawned on me it was Stockholm municipality's urban development website, rather than a website about waxes and where to get them in the Stockholm area.

växer.stockholm redirects to vaxer.stockholm, and would be translated as growing.stockholm.

[–] Chariotwheel@kbin.social -1 points 1 year ago

Yeah, actually, why is that even a thing?

[–] TheBat@lemmy.world 22 points 1 year ago

Ok but like can you disable your adblocker? Why? Cause fuck you that's why.

- Googlphabetube

[–] EeeDawg101@lemm.ee 19 points 1 year ago (1 children)

I work in the IT field and in the last 5 months or so the amount of users getting into sticky situations (fake virus warnings, notification hijacking, etc) has skyrocketed. I kept thinking they were visiting shady sites, but finally I found out it’s the ads on google search results. It’s ridiculous how shady the ads are and I completely blame google. The notification feature in chrome is the stupidest thing ever with how easy it is for sites to take advantage of ignorant users.

[–] phx@lemmy.ca 4 points 1 year ago

I've tried to report up fake sites to Google regarding spoofing well-established business, including that of my employer. All the twists seem to go to a black hole

[–] autotldr@lemmings.world 4 points 1 year ago

This is the best summary I could come up with:


Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Combining the ad on Google with a website with an almost identical URL creates a near perfect storm of deception.

“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam.

The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

When in doubt, people can open a new browser tab and manually type the URL, but that’s not always feasible when they’re long.

Another option is to inspect the TLS certificate to make sure it belongs to the site displayed in the address bar.


The original article contains 422 words, the summary contains 157 words. Saved 63%. I'm a bot and I'm open source!

[–] 30p87@feddit.de 2 points 1 year ago (1 children)

Just another example of Windows missing key components for being a good operating system. Yes, they have the Microsoft Store, but it's filled with fakes and FOSS programs for 20$ or more. Meanwhile MacOS makes it really hard to install from other sources and provides almost everything in the App Store, and we don't even need to talk about Linux.

[–] Jamie@jamie.moe 3 points 1 year ago (1 children)

The thing is, MS made a command line package manager that allows users to submit configs for new packages via GitHub. But they haven't made a UI for it and don't tell anyone that it exists. You have to go out of your way to find out about it, which 99% of users are not going to do.

I use it when I set up new Windows VMs and it's a lot easier than manually navigating to websites for software installers.