Keypoints
- Google is running an A/B test that changes how ad titles and URLs are displayed in search results.
- The new layout combines the ad title and visible URL into one-line snippets intended to increase user trust.
- Compromised advertiser accounts are being abused by threat actors to insert malicious ads that mimic official brands.
- Clicking the malicious ad leads to a decoy site resembling Clockify and offers a download of ClockifySetup.exe hosted on GitHub.
- Malicious installer file was submitted to VirusTotal; investigators traced hosting to a GitHub account used in prior malvertising campaigns.
- Proposed mitigations include verified logos/checkmarks for genuine businesses, assigning official logos/URLs only to verified owners, or flagging non-verified trademark usage.
MITRE Techniques
- [T1566] Phishing – Threat actors used misleading ads to lure users into clicking malicious links (‘Threat actors may use misleading ads to lure users into clicking on malicious links.’)
- [T1203] Exploitation for Client Execution (listed as Malware) – Clicking the decoy site led to a malicious installer download (ClockifySetup.exe) (‘Users may inadvertently download malicious software (e.g., ClockifySetup.exe) from compromised ads.’)
- [T1003] Credential Dumping – Compromised advertiser accounts were used in malvertising campaigns, facilitating further account abuse (‘Compromised accounts may be used to run malvertising campaigns, leading to credential theft.’)
Indicators of Compromise
- [File name] Malicious installer offered by the decoy site – ClockifySetup.exe (downloaded from the decoy page)
- [File hash] Malware sample hash submitted to VirusTotal – 6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601
- [Domain/URL] Brand and hosting domains observed – https://www.clockify.me (official-looking ad URL), github.com (hosting the malicious installer)
Google’s A/B test alters the ad snippet by merging the ad title and visible URL into a single, greyed line to make it easier to compare results against official brand sites. In testing this change, investigators used the ad’s context menu (three dots) to open “My Ad Center” and identify the advertiser account; that account was legitimate but apparently compromised, allowing threat actors to inject malicious ad creatives.
Following the ad click flow, the ad redirected to a decoy site crafted to mimic the Clockify interface. Interacting with the page’s tracking button triggered a download of ClockifySetup.exe, which analysis and a VirusTotal submission linked back to files hosted on a GitHub account previously tied to malvertising activity. The sample’s file hash was recorded for further triage and detection tuning.
Mitigation options discussed include implementing stronger verification for ad assets: assigning official logos and URLs only to verified brand owners, marking ads from verified businesses with clear confidence indicators, and flagging or downgrading ads that use trademarks without proven ownership. These steps aim to reduce the effectiveness of domain/logo spoofing and give users immediate visual cues when an ad may not be genuine.