• jqubed@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    6 months ago

    The ad doesn’t actually deliver the malware, just directs people to a malicious download that mimics the Arc Browser. Users then have to follow onscreen instructions to install the malicious application in a non-standard way that allows it to bypass built-in protections in macOS to make it harder to install unsigned apps.

    I’m curious how successful this campaign would be. It requires a lot of bad behavior by the victim to succeed. First, they’d have to decide to download a new web browser just from one banner ad, without doing any research on the browser; just click the link in the ad to go directly to the malicious download and install it directly from there. Second, they’d have to convince the user to right-click and select “Open” instead of simply double-clicking the installer or dragging it to the Applications folder like every other Mac application; otherwise the OS blocks it. I’m sure there are users dumb enough to do either step, but the subset of users dumb enough to do both steps and be on macOS and see this ad, I’m thinking they might only nab a few hundred victims tops, if that. I suspect this might be a proof of concept more than anything; probably most of the downloads were security researchers or potential customers testing it out. It sounds like the security researchers were following the malware seller, then found the ad, not the other way around. And of course, the ad has been taken down by Google now.

    Like most other large advertising networks, Google Ads regularly serves malicious content that isn’t taken down until third parties have notified the company. Google Ads takes no responsibility for any damage that may result from these oversights. The company said in an email it removes malicious ads once it learns of them and suspends the advertiser and has done so in this case.

    Earlier in the article they said Google had “vetted” the company that bought the ad. It seems their process sucks and this policy is a cop-out, and all of that just to net Google, what, a couple bucks on this short-lived fraudulent campaign?