Skip to main content

Careful — this Google ad could swipe your bank data without you knowing

Zoomed in version of Homebrew website.
Willow Roberts / Digital Trends

Using Google ads to push their malicious sites to the top of the results page is a trick cybercriminals use all too often. The latest example is a fake Homebrew website that uses an infostealer to swipe personal data, browser history, login information, and bank data from unsuspecting victims.

Spotted by Ryan Chenkie on X and reported by BleepingComputer, the malicious Google ad even displays the correct Homebrew URL “brew.sh,” so there’s no real way to spot the trick before clicking.

Recommended Videos

⚠️ Developers, please be careful when installing Homebrew.

Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo

— Ryan Chenkie (@ryanchenkie) January 18, 2025

For anyone who did click, the ad redirected them to a clone of the site hosted at “brewe.sh,” revealing the incorrect URL. According to a reply to the X post from Google’s Logan Kilpatrick, the ad has now been taken down — so no need to worry if you’re reading this. However, Chenkie and many of his commenters were surprised and confused by the ad’s ability to display the correct URL despite it not matching the link’s destination.

It seems this strategy is called “URL cloaking” and Google has told BleepingComputer that it happens because “threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites that a regular visitor would see.”

Clearly, there’s a lot of work going in to trick Google into doing this, which means it could be a difficult problem for Google to fix. Right now, the company is “increasing the scale of its automated systems and human reviewers” to try and combat the problem, which certainly sounds expensive.

It’s possible that this URL cloaking technique makes it much easier for cybercriminals to target websites like Homebrew. As a software package management system for macOS and Linux, its audience is pretty much guaranteed to be more knowledgable than the average online shopper and likely wouldn’t fall for an ad that blatantly displayed an incorrect URL.

The infostealer used in this campaign was identified by security researcher JAMESWT as AmosStealer (also known as Atomic), and it’s specifically designed for macOS systems. Developed using Swift, the malware can run on both Intel and Apple Silicon devices and it’s sold to cybercriminals as a $1,000-per-month subscription.

If you’re worried about malware campaigns like this, there are a few things you can do to stay safe. Firstly, as well as checking an ad’s displayed URL before you click, it’s now a good idea to check the URL of the page once it loads. Remember that only one character needs to be different, so make sure you do more than just give it a glance.

Another way to avoid malware spread by Google ads specifically is to stop clicking on Google ads. If you search for a specific site, the normal version will always be included in the results below, so just skip the ad completely and avoid trouble that way. Otherwise, if you see an ad you’re interested in, search the name of the company or product it’s advertising rather than clicking on the ad directly.

Lastly, if this is just one of many Google-based annoyances for you, you can always consider kicking Google to the curb. Search engines focusing on improved privacy such as DuckDuckGo or Qwant in Europe are viable alternatives if you’re interested in trying something new.

Willow Roberts
Willow Roberts has been a Computing Writer at Digital Trends for a year and has been writing for about a decade. She has a…
Check your inbox — Google may have invited you to use Bard, its ChatGPT rival
ChatGPT versus Google on smartphones.

AI chatbots have been the subject of much public fascination as of late, with the likes of ChatGPT continuously making headlines. But now, Google is finally getting in on the trend by soft-launching Bard for select Pixel users.

Bard is Google's AI chatbot that was previously unavailable to the public, but according to a report from 9to5Google, the company is inviting some of its most loyal and dedicated customers to give it a try.

Read more
Half of Google Chrome extensions may be collecting your personal data
Google Chrome icon in mac dock.

Data risk management company Incogni has found that half of every installed Google Chrome extension has a high to very high risk of collecting personal data, showing a strong correlation to the number of permissions given.

After analyzing 1,237 Chrome extensions found in the Chrome Web Store, a study by Incogni has uncovered some troubling findings. Nearly half (48.7%) of the extensions were found to potentially expose users' personally identifiable information (PII), distribute malware and adware, and record passwords and financial information.

Read more
Google’s new privacy tool lets you know if your personal info was leaked
A Google presenter announcing alerts for personal info.

Google has just announced the expansion of its upcoming privacy tool. Made to protect your personally identifiable information (PII) from being too easy to find, the "Results About You" tool was first announced in May 2022. It will soon begin rolling out to a wider audience, and once it's out, you'll be able to easily request the removal of your personal data.

Now, at Search On 22, Google shared that it will be expanding this tool with an additional useful feature -- the ability to set up alerts if, and when, your PII appears on the web.

Read more