Google has come under scrutiny for hosting a highly convincing malicious advertisement that could have potentially deceived even security-conscious users. The ad masqueraded as a promotion for the open-source password manager Keepass, and given its presence on Google, many users believed it to be legitimate. The deceptive element was further amplified by the fact that clicking on the ad directed users to ķeepass[.]info, which appeared authentic in the address bar.
However, a closer examination revealed that ķeepass[.]info was an encoded version of xn--eepass-vbb[.]info, and this link was linked to the distribution of a malware strain known as FakeBat. The combination of a deceptive Google ad and a nearly identical URL created a highly convincing scam.
Jérôme Segura, the head of threat intelligence at Malwarebytes, unveiled the scam and pointed out the double deception, explaining that users were initially misled by the Google ad, which appeared entirely legitimate, and then deceived again by the lookalike domain.
According to information from Google’s Ad Transparency Center, these ads had been running since Saturday and were last seen on Wednesday. They were funded by an entity called Digital Eagle, a verified advertiser according to Google’s transparency page.
The trickery behind the fake site xn--eepass-vbb[.]info appearing as ķeepass[.]info relies on an encoding technique called punycode. This method allows unicode characters to be represented in standard ASCII text, making it challenging to spot the deception, especially when backed by a valid TLS certificate.
The use of punycode in malware scams is not new. In the past, malicious actors have used this technique to create deceptive websites that closely mimic legitimate ones. The punycode approach initially gained notoriety in 2017 when a developer demonstrated how it could be used to impersonate apple.com.
Detecting such malicious Google ads or punycode-encoded URLs is not straightforward. Entering ķeepass[.]info into major browsers still leads to the imposter site. As a precaution, users can manually type the URL in a new browser tab or inspect the TLS certificate to ensure it corresponds to the site displayed in the address bar. However, these methods may not always be practical, particularly for longer URLs.
Disclaimer: The views, suggestions, and opinions expressed here are the sole responsibility of the experts. No Echo Gazette journalist was involved in the writing and production of this article.