Malicious Google Ads campaign targeting SaaS software downloads

A new malvertising campaign has been detected, where cybercriminals are distributing malware through fake ads targeting popular SaaS software. These ads, disguised as legitimate software downloads, target well-known tools like Slack, Notion, Calendly, Odoo, and Basecamp. In the past, we have seen threat actors use this same technique to steal cloud credentials via phishing, in particular targeting Amazon AWS.

In this campaign, threat actors are leveraging fake Google Ads linked to deceptive websites that mimic legitimate download pages. Once users are redirected to these fake sites, they are tricked into downloading malware, which masquerades as genuine software installers. For Mac users, the malware is an information-stealing tool from the AMOS (Atomic Stealer) family, designed to collect sensitive data like passwords, browser data, and app secrets, which are then uploaded to a remote server.

What can I do?

If you rely on SaaS tools such as Slack or Notion, it’s important to stay vigilant. Here are some actions you can take to protect yourself:

1. Only download software from official sources: Always visit the official website of a SaaS provider to download software. Avoid clicking on ads or links from third-party sites, even if they appear at the top of search results.
2. Double-check URLs: Before downloading any software, verify that the web address matches the official provider’s domain. Malicious sites often use URLs that look similar but contain subtle differences.
3. Use endpoint security software: Employ a trusted antivirus or endpoint security tool to scan your system regularly and block potential threats, especially after visiting suspicious sites.

‍

While efforts to ban malicious ads are ongoing, new ones continue to appear, making it crucial to be cautious when downloading software. Stick to official download sources, verify website addresses, and ensure your system is protected against potential threats.