Malicious Google Ads campaign targets AWS users

AWS Re:Invent 2022
(Image credit: Daniel Hessel)

Researchers have spotted yet another malicious campaign that abuses Google Ads to steal people’s sensitive data - specifically Amazon Web Service (AWS) login credentials.

Experts from Sentinel Labs recently discovered a Google Ads campaign that advertised a malicious landing page that appeared near the top of the search engine's results for the cloud giant.

People who would use Google’s search engine to search for “aws” would see, ranked second, a malicious landing page that impersonated a vegan food blog.

Categorizing stolen data

Those heading to that site would then be prompted with a fake AWS login page where, once entered, the information would be stolen. 

Furthermore, the site prompted the victims to select if they are a root or IAM user, helping crooks categorize the stolen credentials based on utility and value. 

The attackers also added a JavaScript function, disabling right clicks, middle mouse buttons, and keyboard shortcuts, the researchers added, speculating that the feature was included to discourage victims from easily navigating away from the landing page. 

Sentinel Labs discovered the campaign on January 30, 2023, and further investigation uncovered that the attackers were most likely Brazilian. 

The researchers reported the attack to CloudFlare which shut down the malicious account but BleepingComputer claims the ads on Google are still active. We weren’t able to independently verify if that is still the case, or if Google did its part in the meantime. 

Cybercriminals constantly try to leverage Google’s ad network to deliver malware and steal people’s data. The search engine giant is generally perceived as trusted, making people less vigilant when clicking on search engine results. Last December, researchers from Malwarebytes spotted a campaign in which scammers used the traffic from an adult website to generate clicks on Google Ad banners, netting huge returns. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.