Google-hosted malvertising leads to fake Keepass site that looks genuine

&quot;The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.&quot;<p>OF COURSE they were verified by Google. Google verifies identity by accepting money. Give them money, and you&#x27;re verified.<p>&quot;Google representatives didn’t immediately respond to an email&quot; Are there real humans at Google who actually answer email? I haven&#x27;t seen a response from Google in more than a decade. It makes me wonder if all the phishing and spam I&#x27;m reporting even does anything.<p>Honestly, it&#x27;s time for the world to move on from Google. They haven&#x27;t been safe to use as a search engine for more than two years.<p>After clients had been sent to phishing sites by Google&#x27;s ads, I decided to block these domains on all the networks I administer:<p><pre><code> googlesyndication.com googleadservices.com googletagservices.com googletagmanager.com google-analytics.com</code></pre>

Advertising intermediaries should be held partly liable for fraudulent adverts, or advertising should be aggressively de-anonymised, or maybe both. I&#x27;m not a fan of German-style &quot;impressum&quot; requirements for general publishing, but advertising is different in the way it aggressively inserts itself onto other sites in ways which (crucially) the user has no control over. Other than blocking all ads.<p>It ought to be possible to click on the corner of an ad and get the company number and business address of those responsible for it. &quot;Overseas&quot; adverts originating in different countries should be even more heavily checked, because if they&#x27;re fraudulent then recourse is much harder even if they&#x27;re not anonymous.

<i>&gt;A closer link at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info —at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near perfect storm of deception.<p>“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes,</i><p>Back in 2017, Google Chrome 59 supposedly fixed the Punycode phishing attack. E.g. story: <a href="https:&#x2F;&#x2F;www.engadget.com&#x2F;2017-04-17-google-chrome-phishing-unicode-flaw.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.engadget.com&#x2F;2017-04-17-google-chrome-phishing-u...</a><p>Maybe a dedicated criminal studied the Chromium source code that checks Punycode and noticed a flaw where it would allow &#x27;ķ&#x27; in place of &#x27;k&#x27; ???<p><a href="https:&#x2F;&#x2F;www.xn--80ak6aa92e.com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.xn--80ak6aa92e.com&#x2F;</a> --&gt; fake &quot;аррӏе.com&quot; triggers phishing warning<p><a href="https:&#x2F;&#x2F;xn--eepass-vbb.info&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;xn--eepass-vbb.info&#x2F;</a> --&gt; fake &quot;ķeepass.info&quot; does not trigger warning

While Google is waging war against adblockers on YouTube they are once again showing they absolutely cannot be trusted with the responsibility of showing safe ads.<p>That, and them showing war videos in ads to little kids.

I consider myself a security-conscious person and I&#x27;m not sure I would&#x27;ve spotted this. Another reason to use uBo with zero regrets.

<i>&quot;the company has said it promptly removes fraudulent ads as soon as possible after they’re reported&quot;</i><p>If they wanted to be part of the solution they&#x27;d vet the ads before they&#x27;re made public. But that doesn&#x27;t scale, and so people get scammed and society suffers and Google makes more money than it knows what to do with. Pretty fair trade...?<p>As others have said in one way or another, blocking internet advertising is part of healthy and safe internet usage.

Seeing as I have to jump through hoops with know-your-customer laws, it would be nice if companies had to do that also in all these instances that make life difficult.<p>* misleading ads<p>* spam phone callers<p>* counterfeit products on Amazon and the like<p>* email<p>Everything seems to be built to make me 100% reachable by any crook out there, yet I can&#x27;t reach these companies enabling this through any means at all.

That&#x27;s a neat trick. I can imagine getting caught by this if I saw the link in non-ad context. The attackers made a smart choice here. Usual Unicode substitutions are something I&#x27;ve learned to spot, because the substituted letters <i>look off</i>, even if a tiny bit. But here? I didn&#x27;t notice the dot under &quot;k&quot; even with an arrow pointing at it, because to me, <i>it looked like a tiny speck of dust or dirt on the monitor</i>. $deity knows I have many of those on my screen, and they&#x27;re the kind of noise visual system is good at ignoring.

Punycode is of questionable use anyway. Granted I&#x27;m mostly looking into this from a primary latin alphabet perspective, but for the various non-latin alphabet sites I&#x27;ve browsed over the past decade all of them just stuck to regular ASCII domains. (Heck you see this even with usernames on websites that allowed Unicode to be used; most non-latin alphabet users will still stick to the Latin alphabet for usernames.)<p>The only place punycode really gets used are spam domains in practice. Even most Cyrillic and Asian domains don&#x27;t use punycode.<p>I get the concept of punycode and it <i>is</i> impressive technically but for domains it&#x27;s just been a massive phishing headache.

One solution to mitigate malverising is as transparency. Each as should contain the legal contact details (company name, country) of the advertiser. It does not solve the issue fully, but consumers will surely avoid East European suspicious companies advertising. It will also make it easier for the security researchers to track down bad actors and will bring some liability to the ad platform (Google).<p>Facebook already does this for political ads, so it is doable.

Interesting, chrome indeed shows it in the url bar as ķeepass[.]info, but with FF I get xn--eepass-vbb[.]info, is this something I changed or a different default?<p>edit: As someone mentioned further down, it’s an about:config setting for network.IDN_show_punycode

I have seen similar but this one is VERY convincing. I would not have caught this. A &quot;normie&quot; would have no chance. Who know who many are infected.

Browsers should display punycode by default in the address bar. 99.9% of these websites are scams. If you live in a place that commonly uses non-ASCII characters in the URL then you should be able to manually toggle it on.

Another reason to use ublock origin &#x2F; Brave shields. Thanks for another article to send the adblocker complainers. THIS shit is what is killing the net, not adblock users.

The root cause is alphabets&#x2F;fonts with lookalike characters being permitted in security-critical contexts. Tracing further, it&#x27;s the mindset that this is a valuable feature, and not a reckless risk, that is to blame. Browser designers should have been feverishly working to further disambiguate Il1O0, not add <i>more</i> risk by allowing a multitude of whole new alphabets!

This is one of the <i>many</i> reasons I use an ad blocker. That entire advert is not visible on any of my machines therefore I will never click it.

Why doesn&#x27;t that sponsored ad show www.ķeepass.info? I only see the screenshot from browser where it shows that speck of dust there.

The fact that they&#x27;re using Punycode is only a secondary problem.<p>The first one is that Google Ads allow you to show an arbitrary URL below your ad without you showing that you own it.<p>The second one is allowing the URL shown to be different from where you send the users.<p>But I would like to see an option to render URLs as Punycode, and not their original form.

Same issue from one year ago with gimp.<p><a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;google-ad-for...</a>

See: <a href="https:&#x2F;&#x2F;keepass.info&#x2F;integrity.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;keepass.info&#x2F;integrity.html</a> (you may want to manually type it into the address bar...) and download their PGP keys. That way you can verify KeePass downloads using their signatures, which you can save and sign with your own key to really verify the paranoid way. If you ever land on a bad download site, you&#x27;ll know something&#x27;s up after you verify and it doesn&#x27;t match.

I fell victim to a ridiculously stupid and expensive punycode ad scam on Facebook a number of years ago, advertising new antminers. Absolutely idiotic, and infuriating, but the biggest mistake was assuming the likes of Facebook or Google actually reviewed and approved ads and protected its users from this sort of garbage, in addition to simply not noticing the tiniest dot in the address bar.

While there&#x27;s no foolproof way to detect scams like these, there are some proactive steps we can take:<p>1. Always type in URLs manually when downloading critical software to bypass the potential risks from ads.<p>2. Make use of browser plugins that identify malicious websites or unverified SSL&#x2F;TLS certificates.<p>3. Before making any downloads, inspect the TLS certificate of the website by clicking on the padlock icon next to the URL bar. Look for inconsistencies like a different company name or issue date.

Yet another day I&#x27;m glad I&#x27;ve protected my family with network-wide ad blocking through pihole. Slowly they&#x27;ve learned that clicking on the top links (&quot;sponsored&quot;) don&#x27;t work so now they&#x27;re trained to look for the first organic search result whenever using Google.

In Firefox about:config switching network.IDN_show_punycode to true could HELP spotting these kind of scams. But I believe that, in the end, once it&#x27;s showing in Google results, it&#x27;s game over.<p>Ads in search result are looking close enough to regular search result for people to just trust it and click.

It&#x27;s must be serendipitous that the article just above this in my feed is about an AI banning someone for life from advertising on Meta because the AI thought they were trafficking animals for advertising python courses.<p>And my guess is, absolutely nothing will be done, accountability wise, in either case.

Google once hosted isis website, it was in English, French and Arabic, reporting it was cumbersome and could not take screenshots of it before I helped removing it. I used builtwith to detect the host, found it was a google smb solution at the time.

Can you prosecute Google for spreading viruses and helping criminals?

This has been a problem with googles ad network for over a decade now, apparently they don&#x27;t think it&#x27;s profitable enough to make sure this never happens again.

What can I as a user even do to protect myself from this? Like what is the best practice for finding the official website of some organization in a high stakes situation?

On Firefox Beta, for me it shows the punycode by default even though network.IDN_show_punycode is set to false by default

Wait, there are people that <i>don&#x27;t</i> just get it from their distro?!

Why is the ad screenshot clean without the cedilla mark under K?

On Gecko-based browsers:<p>about:config -&gt; network.IDN_show_punycode = false

1) Use an ad blocker, always.<p>2) In advertisements, Google shouldn&#x27;t allow the advertiser to modify the domain that is displayed. Really, why do they even do this?<p>3) IDN shouldn&#x27;t be enabled by default.