Faux Google advertisements trick Mac customers to put in Homebrew malware

Faux Homebrew Google advertisements goal Mac customers

Leveraging an assault vector that is been in play on and off for the final 20 years, hackers are concentrating on Mac customers with malware camouflaged as the favored Homebrew device, and spreading it via misleading Google advertisements.

Malicious actors are leveraging Google advertisements to distribute malware via a counterfeit Homebrew web site. The marketing campaign targets macOS and Linux customers with an infostealer that compromises credentials, browser knowledge, and cryptocurrency wallets.

Homebrew, a widely-used open-source bundle supervisor, permits customers to handle software program via a command line. Hackers lately exploited its recognition by making a malicious Google advert.

The advert, noticed by developer Ryan Chenkie, appeared legit, displaying the right URL for the Homebrew web site, “brew.sh.” Nevertheless, customers who clicked it have been redirected to a faux web site hosted at “brewe.sh.”

The faux website mimicked Homebrew’s set up course of, tricking guests into operating a malicious command. Whereas the legit Homebrew website additionally offers such set up instructions, operating the script from the faux website downloaded and executed malware, particularly AmosStealer.

AmosStealer, also referred to as “Atomic Stealer,” is a macOS-focused infostealer offered to cybercriminals for $1,000 per 30 days. It targets over 50 cryptocurrency wallets, browser-stored knowledge, and desktop apps.

Beforehand, this malware has been utilized in related campaigns, together with faux Google Meet pages, making it a go-to device for Apple-focused cyberattacks.

Malicious Google Search consequence. Picture credit score: @ryanchenkie

Homebrew’s venture chief, Mike McQuaid, expressed frustration with Google’s lack of ability to stop such scams. Whereas the malicious advert was taken down, McQuaid highlighted that related incidents proceed to happen as a result of inadequate oversight of sponsored advertisements.

Cybersecurity consultants advocate avoiding sponsored hyperlinks when trying to find widespread instruments. Bookmarking official web sites or accessing them straight may also help customers decrease danger.

Google’s wrestle with hackers

Maintaining malicious advertisements in test is a troublesome battle. Cybercriminals are consistently discovering intelligent methods to outsmart detection, like tweaking URLs or altering advert content material after approval to slide via the cracks.

With billions of advertisements to course of daily, Google leans closely on automation, however that alone is not sufficient. The sheer scale of its operations and the shortage of serious human oversight imply some malicious campaigns inevitably get via.

For instance, in April 2023, the identical AmosStealer malware was first detected and was being offered via Telegram, a messaging app. In September of that 12 months the hackers turned to malicious Google advertisements.

And in August 2024 attackers created faux variations of widespread functions, together with Loom, to trick customers into downloading malware via misleading Google-sponsored URLs.

Even with instruments to establish and take away dangerous advertisements, scammers’ evolving ways and the complexity of imposing guidelines worldwide go away Google struggling to remain forward.

keep away from malicious Google advertisements

To remain secure from a lot of these assaults, be certain to double-check web site URLs earlier than clicking, follow bookmarks for trusted websites, and keep away from putting in software program from unfamiliar or sponsored hyperlinks.

Google has taken down this one specific malicious advert. As historical past has confirmed, the hazard from dangerous advertisements is not gone, so Mac customers — particularly these utilizing Homebrew — want to remain alert.