While it is barely noticeable, there is a small character under the ‘k’. The deception is complete for users who may want to verify that they are on the right website.įigure 3: The fake KeePass site with a barely noticeable different font Looking at the network traffic log above, we can see that the destination site uses Punycode, a special encoding to convert Unicode characters to ASCII. The threat actors have set up a temporary domain at keepasstackingsite that performs the conditional redirect to the final destination:įigure 2: Network traffic showing the sequence of redirects upon clicking the ad ķ People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim. The ad is extremely deceiving as it features the official Keepass logo, URL and is featured before the organic search result for the legitimate website.īy simply looking at the ad, you would have no idea that it is malicious.įigure 1: Malicious ad for KeePass followed by legitimate organic search result The malicious advert shows up when you perform a Google search for ‘keepass’, the popular open-source password manager. We have reported this incident to Google but would like to warn users that the ad is still currently running. The difference between the two sites is visually so subtle it will undoubtably fool many people. The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. We previously reported on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. Threat actors are known for impersonating popular brands in order to trick users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |