Trojanized PyCharm Software Version Delivered via Google Search Ads

Oct 31, 2023NewsroomMalvertising / Threat Intelligence

Trojanized PyCharm Software

A new malvertising campaign has been observed exploiting a compromised website to promote fake versions of PyCharm in Google search results through the use of Dynamic Search Ads.

“Unbeknownst to the site owner, one of their ads was automatically generated to promote a popular program for Python developers, and was seen by people searching for it on Google,” Jérôme Segura, director of threat intelligence at Malwarebytes, SAYS in a report.

“Victims who click on the ad are taken to a hacked web page with a link to download the application, which installs a dozen different pieces of malware instead.”

Cybersecurity

The infected website in question is an unnamed online portal specializing in wedding planning, which has been injected with malware to serve fake links to the PyCharm software.

Per Malwarebytes, websites are targeted using Dynamic Search Ads, an ad offering from Google that programmatically uses site content to tailor targeted ads based on search terms.

Trojanized PyCharm Software

“If someone searches on Google with terms closely related to the titles and frequently used phrases on your website, Google Ads will use these titles and phrases to select a landing page from your website and create a clear, relevant headline for your ad,” Google Explains in its supporting documentation.

As a result, a threat actor with the ability to modify website content can also turn ad campaigns into a lucrative tool for abuse, effectively serving ads to Google Search users that may result in unintended behavior.

Cybersecurity

“What happened here was that Google Ads dynamically created this ad from the hacked page, making the website owner an unwitting intermediary and victim paying for their own malicious ad, Segura explained.

The development comes as Akamai details the infrastructure behind a sophisticated phishing campaign targeting hospitality sites and their customers.

“The campaign is a global threat, with significant amounts of DNS traffic seen in Switzerland, Hong Kong, and Canada,” the company said. SAYS.

“Although the campaign was initially thought to be active only since September 2023, the domain registration shows domain names registered and queried as early as June 2023.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment