Stealers in Google sponsored links
![Image Europol Head of Operations discusses [dismantling of LockBit]](https://incyber.org//wp-content/uploads/2023/12/incyber-news-water-cybersecurite-cybersecurity-885x690.jpg)
Cybercriminals thwart Google’s vigilance by creating a harmless site, which then redirects to a second site containing malicious software
On December 28, 2022, Guard.io and Trend Micro published a report on a new cyber scam. The two companies have identified sites in the sponsored results of Google Search that redirect to fraudulent sites.
Typically, these are clones of the original sites. They offer a popular and free software for download – Slack, μTorrent, Teamviewer, Audacity, Brave, or Libre office. In reality, it is a stealer or a botnet.
But in order to deceive the vigilance of Google’s detection tools, cybercriminals have created another site. This one is perfectly harmless and very different from the official one. The hackers pay to have this site appear among the sponsored links of Google Search corresponding to the original software, and Google then validates the operation.
But if the user clicks on the link, this first site automatically redirects him to the fraudulent site. The latter then offers to download the desired software, in ZIP format, from a public hosting platform.
And if the overconfident victim opens the ZIP without checking it with an antivirus, it will install malware on his machine. It can be Raccoon Stealer, a homemade version of Vidar Stealer, or the IcedID botnet.