Google Dynamic Search Ads Abused to Unleash Malware Deluge

An advanced feature of Google targeted ads can allow a rarely precedented flood of malware infections, rendering machines completely useless.

A researcher has uncovered a new method of using vulnerable websites to deliver malicious, targeted ads to search engine users, capable of delivering a tsunami of malware that can overwhelm victims completely.
The key is dynamic search ads, a feature in which Google uses the content of a website landing page to pair targeted ads with searches. In
an Oct. 30 blog post
, Jerome Segura, senior director of threat intelligence at Malwarebytes, described how an attacker used a fake software ad on a compromised website to take advantage of this feature,
targeting search engine users.
And, remarkably, it all may have been by accident.
I think the ad itself is really kind of accidental, in the way that it was created. The fact that I saw it [in a Google search], I dont think the threat actor planned it at all, Segura posits.
I didnt see the site first, I saw the ad first, Segura recalls. He was searching for common keywords used by hackers — often fake advertisements for office applications, remote monitoring software, and so on. In this case, the keyword was PyCharm, the development environment for Python programming.
The search yielded the following, sponsored result:
While the headline matched his search, the snippet seemed to be pulled from a wedding planning site. And through Googles Ads Transparency Center, it was clear that the sites other content all had to do with weddings, not Python.
In most ads that I see for malicious software downloads, the content matches the title. So the threat actor actually goes through the effort of
creating an ad from scratch
: they use a compromised advertiser account, and they create the ad with a matching URL, a matching description, and all that wasnt the case here. So I thought: Why would somebody create a title that doesnt match the description? Segura recalls.
It turned out that some pages within the neglected wedding planning site had been injected with spam-generating malware.
The malware rewrote these pages titles and presented visitors with a malicious PyCharm serial key pop-up. To make matters worse, Googles dynamic ads feature picked up on the malicious content, which is how it got advertised to Segura.
Were an unwitting visitor to click on the PyCharm pop-up link, they would experience a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable, Segura explained in his blog. He speculated that the attacker may have been trying to monetize as many malware downloads as possible, for cybercrime commission payments.
For hackers that want to take advantage of small- and midsize business websites for their own ends, there is an untold trove of potential choices simply lying in wait.
The problem, Segura explains, is that usually business owners dont create it themselves. They hire a Web agency to create the website for them at a particular time, and then the Web agency delivers the product, and then thats it. Theres no follow up. Businesses might keep using the site, but without taking care of it on the backend.
So what happens is, the core WordPress itself becomes out of date. And then any of the plugins that may have been used also become out-of-date. And out-of-date usually applies not just to features, but also security patches. And so those websites are just sitting ducks for anybody to crawl entire IP ranges, and then just mass compromise, he says.
Where businesses might lack the resources or wherewithal to maintain proper security, Segura thinks, Google could at least help search engine users avoid landing in traps, by flagging cases where targeted ads and website content diverge significantly.
In this case a wedding website and an ad for a piece of software. Ive seen another example that was pretty clear cut as well: for another piece of software, and the advertiser was a restaurant. That should be an immediate flag for Google, because it really does not match what the business does, he concludes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Dynamic Search Ads Abused to Unleash Malware Deluge