Using Google ads to push their malicious sites to the top of the results page is a trick cybercriminals use all too often. The latest example is a fake Homebrew website that uses an infostealer to swipe personal data, browser history, login information, and bank data from unsuspecting victims.
Spotted by Ryan Chenkie on X and reported by BleepingComputer, the malicious Google ad even displays the correct Homebrew URL “brew.sh,” so there’s no real way to spot the trick before clicking.
⚠️ Developers, please be careful when installing Homebrew.
Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo
— Ryan Chenkie (@ryanchenkie) January 18, 2025
For anyone who did click, the ad redirected them to a clone of the site hosted at “brewe.sh,” revealing the incorrect URL. According to a reply to the X post from Google’s Logan Kilpatrick, the ad has now been taken down — so no need to worry if you’re reading this. However, Chenkie and many of his commenters were surprised and confused by the ad’s ability to display the correct URL despite it not matching the link’s destination.
It seems this strategy is called “URL cloaking” and Google has told BleepingComputer that it happens because “threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites that a regular visitor would see.”
Clearly, there’s a lot of work going in to trick Google into doing this, which means it could be a difficult problem for Google to fix. Right now, the company is “increasing the scale of its automated systems and human reviewers” to try and combat the problem, which certainly sounds expensive.
It’s possible that this URL cloaking technique makes it much easier for cybercriminals to target websites like Homebrew. As a software package management system for macOS and Linux, its audience is pretty much guaranteed to be more knowledgable than the average online shopper and likely wouldn’t fall for an ad that blatantly displayed an incorrect URL.
The infostealer used in this campaign was identified by security researcher JAMESWT as AmosStealer (also known as Atomic), and it’s specifically designed for macOS systems. Developed using Swift, the malware can run on both Intel and Apple Silicon devices and it’s sold to cybercriminals as a $1,000-per-month subscription.
If you’re worried about malware campaigns like this, there are a few things you can do to stay safe. Firstly, as well as checking an ad’s displayed URL before you click, it’s now a good idea to check the URL of the page once it loads. Remember that only one character needs to be different, so make sure you do more than just give it a glance.
Another way to avoid malware spread by Google ads specifically is to stop clicking on Google ads. If you search for a specific site, the normal version will always be included in the results below, so just skip the ad completely and avoid trouble that way. Otherwise, if you see an ad you’re interested in, search the name of the company or product it’s advertising rather than clicking on the ad directly.
Lastly, if this is just one of many Google-based annoyances for you, you can always consider kicking Google to the curb. Search engines focusing on improved privacy such as DuckDuckGo or Qwant in Europe are viable alternatives if you’re interested in trying something new.
