Criminals conducted a sophisticated malvertising campaign impersonating Google’s product line, using Looker Studio to render a fake Google homepage and rotating malicious URLs to trap users and push tech support scams. Malwarebytes Browser Guard protected users, while the scheme leveraged cloud-hosted resources and dynamic keyword insertion.
Keypoints
- Criminals impersonated Google products to distribute malware.
- Used Looker Studio to create a fake Google homepage.
- Exploited Google’s APIs for dynamic malicious URL generation.
- Victims were redirected to tech support scam pages.
- Malwarebytes Browser Guard protected users from the attack.
- Dynamic keyword insertion was used to target Google-related searches.
- All resources used in the attack were hosted on cloud platforms.
MITRE Techniques
- [T1566] Phishing – Scammers used fake ads to lure victims into clicking malicious links. “Scammers used fake ads to lure victims into clicking malicious links.”
- [T1003] Credential Dumping – Utilized stolen or free accounts to access Google services. “Utilized stolen or free accounts to access Google services.”
- [T1210] Exploitation of Remote Services – Exploited Looker Studio to display a fake Google homepage. “Exploited Looker Studio to display a fake Google homepage.”
- [T1203] Malicious Link – Embedded malicious links in the fake Google homepage image. “Embedded malicious links in the fake Google homepage image.”
- [T1071] Scam – Redirected victims to tech support scams via fake alerts. “Redirected victims to tech support scams via fake alerts.”
Indicators of Compromise
- [IOC Type] Google Advertiser Accounts – 08141293921851408385, Dhruv, 06037672575822200833
- [IOC Type] Looker Studio URLs – https://lookerstudio.google.com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/, https://lookerstudio.google.com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/, https://lookerstudio.google.com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/
- [IOC Type] Web Domain – web.core.windows.net