Google-hosted malvertising leads to fake Keepass site that looks genuine – Ars Technica

wp header logo 3923

Front page layout
Site theme

Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.
Looking at the ad, which masquerades as a pitch for the open source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which, when viewed in an address bar, appears to be the genuine Keepass site.
A closer look at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info—at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which, it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near-perfect storm of deception.
“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post on Wednesday that revealed the scam.
Information from Google’s Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.
In an email sent after this post went live, a Google representative said the company removed the ad in keeping with its terms of service.
The sleight of hand that allowed the imposter site xn--eepass-vbb[.]info to appear as ķeepass[.]info is an encoding scheme known as punycode. It allows unicode characters to be represented in standard ASCII text. Looking carefully, it’s easy to spot the small comma-like figure immediately below the k. When it appears in an address bar, the figure is equally easy to miss, especially when the URL is backed by a valid TLS certificate, as is the case here.

There’s no surefire way to detect either malicious Google ads or punycode-encoded URLs. Posting ķeepass[.]info into all five major browsers leads to the imposter site. When in doubt, people can open a new browser tab and manually type the URL, but that’s not always feasible when they’re long. Another option is to inspect the TLS certificate to ensure it belongs to the site displayed in the address bar.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2023 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | privacyoptions123x59 c5c9972158 Do Not Sell My Personal Information

The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices


About the author

Manoj Nair

Manoj Nair

Manoj has an MBA in Information Systems and has worked in the tech industry for over a decade. He specializes in enterprise technology, focusing on innovations like blockchain, cloud computing, and data analytics that are changing the business landscape.