This fake GIMP Google ad just ends up serving malware
>
Google’s ad network has been identified as displaying a malicious ad that could lead to users having their identity information (opens in new tab) and other sensitive information stolen.
Hackers have reportedly managed to trick Google Ad Manager into placing a fake ad for the popular photo editor GIMP, meaning those who wanted to download the program only ended up with a powerful info stealer called Vidar.
Whenever a victim typed “GIMP” or a similar keyword into Google’s search engine, they were presented with an ad featuring GIMP’s official website – GIMP.org, among other things. However, if you actually click on the ad, the victim will not be sent to that specific domain, but to gilimp.org or gimp.monster. There they would be offered to download a 700MB file, an exaggerated executable that is actually only 5MB in size – the Vidar infostealer.
Fooling the system
How this was possible is not yet entirely certain. While some researchers believe the threat actor used the IDN homograph technique to make the Cyrillic gіmp.org — typed as http://xn--gmp-jhd.org/ — appear as gimp.org in the Latin alphabet, others are of the opinion that the trick is actually much less elaborate.
In reality, BleepingComputer reports that Google allows publishers to create ads with two different URLs: one to display to viewers and the other where they are actually directed. Reportedly, Google is pretty strict with these things, for example only those using the same domain. It’s not known how or why Ad Manager made this particular campaign go live. Google is still silent on the matter and we will update the article if the search giant decides to elaborate.
Vidar is a well-known infostealer that can grab browser (opens in new tab) information (passwords, cookies, stored credit card information, and the like), cryptocurrency wallet information, Telegram credentials, file transfer application information, and a host of other sensitive data.
Through. BleepingComputer (opens in new tab)