Do you remember the last time you wanted to download a program? You probably did a Google search for it and clicked on the top link you saw. In recent months, this behaviour has become more risky due to an increase in malicious ads from threat actors previously engaged in malspam campaigns.
Criminals are purchasing ad space and tricking users with realistic-looking sites for some of the most popular software programs. The downloaded files are usually distributed in formats that will evade detection for many antivirus programs or prevent them from being uploaded to services like VirusTotal because of their excessive size. While you may install the piece of software you were looking for, you also infected your machine with malware.
In this talk, we review some of the malvertising techniques used by criminals to deceive Google and sandboxes using tricks such as cloaking. We also present some stats based on over 500 reported incidents to identify the most targeted brands and malware families. Finally, we share the results of community-based tracking and reporting and where threat actors might go next.