The zip archive contained a Microsoft Installer (.msi) file. Shown above: Fake AnyDesk site delivering the malicious zip archive. Hxxps://firebasestorage.googleapiscom/v0/b//o/wnitFn4RCG%2FSetup_Win_14-12-2022_18-36-29.zip?alt=media&token=3ef517f1-eb72-46bc-ac4b-3fb41f92d373Īs I wrote this diary, the above URL still worked, and it delivered a the malicious zip archive. This is a fake AnyDesk page, with a button to download a malicious zip archive hosted on a Google Firebase Storage URL at: Hxxps://wwwanydesktop/en/downloads/windows The above URL generated HTTPS traffic to oferialerkalonline, which then led to the following fake AnyDesk URL: These malicious TDS domains frequenty change multiple times each day. Hxxps://clickserve.dartsearchnet/link/click?&ds_dest_url= This led to a URL from a malicious traffic distribution system (TDS) domain oferialerkalonline. Hxxps://That generated the following URL: I clicked on the ad, and it generated the following Google Ad Services URL:
The top result is a Google ad for AnyDesk, which shows a legitimate URL for the official AnyDesk site. The above image shows the top search results after I typed anydesk into Google search. I've heard this technique referred to as "SEO poisoning." These ads redirect users to fake software sites based on specific search terms. Cyber criminals occasionally use SEO to direct search traffic to malicious advertisement links. Search Engine Optimization (SEO) is a technique that websites use to increase their visibility for search engines like Google.
Shown above: Search results when I did a quick Google search for AnyDesk. Today's diary reviews my IcedID infection from this fake AnyDesk site. Although the Google ad showed a legitimate AnyDesk URL, it led to a fake site after I clicked the ad.
0 kommentar(er)
