A recent malvertising campaign has been identified, leveraging a compromised website to promote fake versions of PyCharm through Google search results using Dynamic Search Ads.
According to Jérôme Segura, the director of threat intelligence at Malwarebytes, the campaign involved an unwitting website owner whose ad was automatically generated to endorse a popular Python development program on Google. This ad was visible to individuals searching for the software. Those who clicked on the ad were directed to a compromised webpage, where they were prompted to download the application. However, instead of PyCharm, the unsuspecting victims ended up installing more than a dozen different malware variants.
The compromised website in question is an undisclosed online portal specializing in wedding planning, which had been infected with malware to distribute counterfeit PyCharm software.
The attackers exploited Google’s Dynamic Search Ads feature, which utilizes a website’s content to customize ads based on user search terms.
As Google explains in its support documentation, “When someone searches on Google with terms closely related to the titles and frequently used phrases on your website, Google Ads will use these titles and phrases to select a landing page from your website and generate a clear, relevant headline for your ad.”
This incident highlights the risk that threat actors pose by manipulating a website’s content to take advantage of ad campaigns, leading to unintended consequences for Google Search users.
In this case, the hacked webpage was the source of the dynamically generated ad, making the website owner an unintentional intermediary who paid for their own malicious ad, as clarified by Jérôme Segura.
This development coincides with Akamai’s revelation of the infrastructure supporting an elaborate phishing campaign aimed at hospitality sites and their customers. The global threat was observed to generate significant DNS traffic in Switzerland, Hong Kong, and Canada. Despite initial reports suggesting that the campaign started in September 2023, domain registration data reveals activity dating back to June 2023.