UPDATED 18:45 EST / OCTOBER 19 2023

SECURITY

KeePass users targeted: Attackers leverage Google Ads for deceptive campaign

A new report from cybersecurity software firm Malwarebytes Inc. today details a “malvertising” attack that exploits Google LLC ads to trick users into visiting a fake site for the open-source password management KeePass.

Described by the Malwarebytes Labs researchers as “clever,” the attack methodology involves the attackers impersonating the official KeePass website using the Punycode character encoding system to allow them to register domains that visually appear very similar to legitimate ones. The difference between the original and fake sites is said to be visually so subtle that it will undoubtedly fool many people.

Setting up a fake domain is one thing, but getting accepted in Google Ads is another level and this is what has happened here. The attackers managed to get the fake KeePass site not only into Google Ads but also to appear at the top of search results. The malicious Google ads look entirely genuine and feature the official KeePass logo and URL.

When clicked, the ad redirects users via a cloaking service to a decoy site with the domain ķeepass[.]info, using Punycode. Easy to miss, there’s a tiny character beneath the “k” that is not a standard letter k but one from another character set. Because it’s easy to miss, users are none the wiser that they may not be on the official KeePass site.

While not an exact replica of the original site, the fake KeePass is still convincing and offers unsuspecting visitors a malicious .msix installer that is digitally signed. Inside the malicious installer lies PowerShell code linked to the FakeBat malware family. The malware subsequently communicates with a control server and prepares the victim’s device for future malicious activity.

“While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising,” the Malwarebytes researchers note. “Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain.”

Images: KeePass, Malwarebytes

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU