{"id":8531,"date":"2024-08-06T09:02:57","date_gmt":"2024-08-06T09:02:57","guid":{"rendered":"\/cybersecurity-blog\/?p=8531"},"modified":"2025-01-31T06:32:55","modified_gmt":"2025-01-31T06:32:55","slug":"fake-google-authenticator-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/","title":{"rendered":"Fake Google Authenticator Website Installs Malware via Google Ads"},"content":{"rendered":"\n<p>We&#8217;ve uncovered a new campaign delivering DeerStealer malware by exploiting Google&#8217;s own advertising platform and other legitimate services.&nbsp;<\/p>\n\n\n\n<p>Read <a href=\"https:\/\/any.run\/cybersecurity-blog\/deerstealer-campaign-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">in-depth analysis of DeerStealer<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What&#8217;s happening?&nbsp;<\/h2>\n\n\n\n<p>SEO poisoning has long been a favored technique among cybercriminals, leveraging search engine optimization to rank up fake Google search results and promote malicious content. Recently, this tactic with fake Google results in search has evolved to include fake Google ads, further expanding the reach of these campaigns.<\/p>\n\n\n\n<p>Adversaries are impersonating Google Authenticator in Google Ads to deliver the DeerStealer information-stealing malware.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily analyze malware in <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=fake_google_authenticator&#038;utm_term=060824&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The campaign uses sophisticated techniques to evade detection, allowing it to target users searching for legitimate software. Hackers are likely using a centralized command and control (C2) structure to manage this operation.&nbsp;<\/p>\n\n\n\n<p>The following table shows the key components of this campaign:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-132\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"132\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-align-center\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Component\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-center\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Details\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Target\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Google Authenticator users\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Platform Exploited\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Google Ads\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Malware\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DeerStealer\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Affected Systems\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-132'>\ntable#wpdtSimpleTable-132{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-132 td, table.wpdtSimpleTable132 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>DeerStealer is a modern information stealer capable of extracting credentials, cookies, and other sensitive data from web browsers.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Breaking down the attack chain&nbsp;<\/h2>\n\n\n\n<p>The attack begins with malvertising on Google search results, driving victims to fake ads that display legitimate Google domains to increase credibility. When users click these ads, they&#8217;re led through a series of redirections, ultimately landing on a malicious fake Google website like &#8220;chromeweb-authenticators.com&#8221;. \u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-1024x587.png\" alt=\"\" class=\"wp-image-8532\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-1536x881.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-2048x1175.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Fake Google Authenticator page analyzed in ANY.RUN sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>The fake Google page prompted users to download a file named &#8220;Authenticator.exe,&#8221; hosted on a GitHub repository named &#8216;authgg&#8217; by &#8216;authe-gogle.&#8217; This file contained the DeerStealer information-stealing malware.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-1024x586.png\" alt=\"\" class=\"wp-image-8533\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-1536x879.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-2048x1171.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-2-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Malicious executable analyzed in ANY.RUN <\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStreamline malware analysis with <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=fake_google_authenticator&#038;utm_term=060824&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The executable was signed by companies such as Reedcode Ltd., making it appear legitimate and capable of bypassing security systems.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Google responded&nbsp;<\/h2>\n\n\n\n<p>Google, upon being alerted by Malwarebytes, blocked the fake advertiser. The company is working to improve its detection systems by scaling up automated tools and human reviewers to better identify and remove such malicious campaigns. In 2023, these efforts led to the removal of 3.4 billion ads, the restriction of 5.7 billion ads, and the suspension of 5.6 million advertiser accounts.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to protect yourself&nbsp;<\/h2>\n\n\n\n<p>Here are a few things you can do to protect against DeerStealer \u2014 and other malware:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid clicking promoted results in Google Search&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use an ad blocker&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bookmark official software project URLs&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verify download URLs match official domains&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scan downloads with updated antivirus before executing&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=fake_google_authenticator&amp;utm_term=060824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collaborate with your team&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=fake_google_authenticator&amp;utm_term=060824&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request 14-day free trial for your entire team \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ve uncovered a new campaign delivering DeerStealer malware by exploiting Google&#8217;s own advertising platform and other legitimate services.&nbsp; Read in-depth analysis of DeerStealer.&nbsp; What&#8217;s happening?&nbsp; SEO poisoning has long been a favored technique among cybercriminals, leveraging search engine optimization to rank up fake Google search results and promote malicious content. Recently, this tactic with fake [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":8535,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,15,34],"class_list":["post-8531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Fake Google Authenticator Website Installs Malware<\/title>\n<meta name=\"description\" content=\"See how adversaries are impersonating Google Authenticator in Google Ads to deliver the DeerStealer information-stealing malware.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stas Gaivoronskii and Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/\"},\"author\":{\"name\":\"Stas Gaivoronskii and Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Fake Google Authenticator Website Installs Malware via Google Ads\",\"datePublished\":\"2024-08-06T09:02:57+00:00\",\"dateModified\":\"2025-01-31T06:32:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/\"},\"wordCount\":536,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/\",\"name\":\"Fake Google Authenticator Website Installs Malware\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-08-06T09:02:57+00:00\",\"dateModified\":\"2025-01-31T06:32:55+00:00\",\"description\":\"See how adversaries are impersonating Google Authenticator in Google Ads to deliver the DeerStealer information-stealing malware.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Fake Google Authenticator Website Installs Malware via Google Ads\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Stas Gaivoronskii\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png\",\"caption\":\"Stas Gaivoronskii\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp\",\"caption\":\"Jack Zalesskiy\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fake Google Authenticator Website Installs Malware","description":"See how adversaries are impersonating Google Authenticator in Google Ads to deliver the DeerStealer information-stealing malware.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/","twitter_misc":{"Written by":"Stas Gaivoronskii and Jack Zalesskiy","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/"},"author":{"name":"Stas Gaivoronskii and Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"Fake Google Authenticator Website Installs Malware via Google Ads","datePublished":"2024-08-06T09:02:57+00:00","dateModified":"2025-01-31T06:32:55+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/"},"wordCount":536,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/","url":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/","name":"Fake Google Authenticator Website Installs Malware","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-08-06T09:02:57+00:00","dateModified":"2025-01-31T06:32:55+00:00","description":"See how adversaries are impersonating Google Authenticator in Google Ads to deliver the DeerStealer information-stealing malware.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/fake-google-authenticator-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Fake Google Authenticator Website Installs Malware via Google Ads"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Stas Gaivoronskii","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png","caption":"Stas Gaivoronskii"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp","caption":"Jack Zalesskiy"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8531"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8531"}],"version-history":[{"count":11,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8531\/revisions"}],"predecessor-version":[{"id":11380,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8531\/revisions\/11380"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8535"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}