Hackers are running malicious Google Ads campaigns targeting victims interested in the new Arc browser, with the aim of installing information-stealing malware on their Mac devices.
Cybersecurity researchers at Malwarebytes spotted a new campaign in the Google Ads network, which appears to be promoting the new (and quite popular) Arc browser.
The campaign is from ‘Coles & Co’ and links to the domain name archost(.)org. However, people who click on the link are redirected to arc-download(.)com, a completely fraudulent site that only offers Arc for Mac.
PR move
On the surface, the downloaded DMG file behaves exactly as a legitimate file would, except for the right-click trick to bypass protection.
What victims ultimately end up with is Poseidon, a variant of Atomic Stealer (AMOS), a well-known infostealer that can extract all sorts of information from target devices, from sensitive files to cryptocurrency wallet details, to saved passwords and browsing data.
There seems to be a lot of code overlap between AMOS and Poseidon, but its creator – someone going by the alias Rodrigo4 – said they needed a unique brand to be better recognized in the underground community.
“Simply put, people didn’t know who we were,” the developer said in a recent post.
Because the Google Ads network can display ads at the top of search engine results pages, malware penetration significantly increases the chances of success.
To run a malvertising campaign, cybercriminals steal people’s Google Business accounts, verified to run ad campaigns and have a linked credit card for payments. They then create an ad campaign that promotes fraudulent websites at the top of the search results pages. Recently, cybersecurity experts started warning users to be careful when looking for things and to type in known addresses instead of just Googling them.