News & Stories

Why Google Search has become a tool for spreading malware

Ray Fernandez

Feb 6, 202411 min read

Why Google Search has become a tool for spreading malware: Header image

Tricking victims into downloading malware is a major component of a cybercriminal’s job. To do this, they employ a wide range of techniques that experts call vectors of attack. Popular vectors include buying passwords over the dark web, brute-forcing their way into accounts, exploiting zero-day vulnerabilities, and phishing. But lately, cybercriminals have been exploiting something most of us have come to think of as 100% safe: Google Search.

Moonlock spoke to experts to understand how cybercriminals are abusing Google Search with SEO poisoning and malvertising and increasingly targeting Mac users. From how bad actors operate to why Google can’t seem to curb the trend, let’s dive into the security threats in the most popular search engine. 

Google Search is becoming a criminal’s playground 

As Moonlock recently reported, malvertising and SEO poisoning rank in the top 10 macOS security trends for 2024.

While cybercriminals use malvertising and SEO poisoning in all search engines, as well as other platforms, most of the hardcore malicious activity can be found on Google. Why Google? The answer is simple. Everyone is on it. Google is by far the most popular search engine in the world. More than 90% of users turn to Google to find all kinds of information. 

Cybercriminals who aren’t interested in hacking a specific high-value individual want to reach as many potential victims as possible. The wider the net, the bigger the catch. That makes Google Search an ideal vector of attack. 

Moonlock Lab experts explained that the combination of large-scale automated systems, the wide use of the internet, and the constant evolution of attack techniques creates the ideal environment for threat actors to effectively abuse search engines and reach a broader audience of users. 

Hijacking Google’s trust 

Ritesh Raj, Chief Marketing Officer at Future Systems for Information Technology (FSIT) and COO & CPO of CuddlyNest, told Moonlock that SEO poisoning and malvertising exploit the trust that users have for Google Search. 

“Cybercriminals exploit this trust by running malicious ads that appear above organic search results, often preceding links to legitimate sources,” Raj said. “These ads can lead users to download booby-trapped copies of popular free software applications, making searching for software on Google a risky affair.”

Malvertising versus SEO poisoning

Malvertising and SEO poisoning share common ground. Both techniques unethically and illegally manipulate search engines with the goal of directing users to malicious websites or downloading malware inadvertently. Additionally, both of these techniques can be considered a form of social engineering. They are popular among criminals because they don’t require the hard work of researching potential victims. Nor does it consume the resources of engaging in more direct communication, such as phishing via email, phone calls, etc.

The big difference between the two is how they are deployed. While malvertising involves paying for ads on search engines to get exposure, SEO poisoning is more sophisticated. SEO poisoning doesn’t require upfront Google ads payments, but it does demand high-level skills and a deep understanding of how search engines work, as well as the ever-evolving Google search algorithms. 

Mastering Google Ads and search engine optimization is something that even the most professional marketing experts with years of experience struggle with. Despite this steep learning curve, cybercriminals have managed to become experts at it. 

A screenshot of the Google Search Central Blog.
A screenshot of the Google Search Blog. Google released official Google Search core algorithm updates, details on Google Search features, and SEO practices to the public. Google Search is a trademark of Google LLC.

“Cybercriminals are so good at what they do nowadays that it can be extremely hard to distinguish what’s a scam and what isn’t,” Lisa McStay, Chief Operating Officer at Continuity2, told Moonlock. “Pairing this with how Google’s search engine rewards pages that are receiving traffic/clicks, Google’s own system can inadvertently promote scams to users.”

McStay described the problem as “massive” and said Google “currently doesn’t have a fix.”

“Malvertising and SEO poisoning are incredibly difficult to police,” McStay added, “as are all crimes on the internet because of sheer scale.”

Moonlock Lab researchers added that the danger is the large number of ads that run on Google and the constant content and software updates. This makes it difficult for Google to manually review every ad and link for potential threats. 

SEO poisoning tactics in the wild

When it comes to SEO poisoning, the volume of web content data and the dynamic nature of SEO algorithms make it extremely hard for search engine companies to keep up with rapidly changing tactics. 

Crowdstrike lists 4 tactics cybercriminals use today in SEO poisoning campaigns:

  1. Keyword stuffing is cramming irrelevant keywords to mislead algorithms into giving the website a higher ranking.
  2. Cloaking refers to presenting different content to crawlers and users. This method influences search engine rankings by displaying favorable information to crawlers while showing irrelevant content to users.
  3. Manipulating search ranking artificially increases a website’s click-through rate. This technique utilizes bots or humans to search for keywords and generate fake clicks for a particular website.
  4. The use of private link networks creates a network of unrelated websites. These are linked to each other, aiming to imitate authentic link-building practices to boost search engine results artificially.

McStay said that cloaking is currently one of the most popular methods. “This method involves presenting content to search engine crawlers that is different from the actual content of the page users will see,” McStay said. McStay added that this allows malicious content to be camouflaged on Google.

McStay warned that criminals are also keeping up to date with Google search engine policies, guidelines, and engine algorithms that the company issues for legitimate businesses and marketing companies. “This same exploitation is used by criminals to prey on unsuspecting users,” McStay explained. 

Google Search threats for Mac users 

Malvertising and SEO poisoning have targeted Windows users for years. Recently, however, cybersecurity experts have noticed an alarming uptick in attacks that target Mac users specifically.

Atomic Stealer

Ritesh Raj told Moonlock that a notable example of a campaign targeting Mac systems through the use of malvertising is Atomic Stealer. “This campaign uses malicious ads and phishing sites to trick users into downloading what they believe is the app they want but is actually malware,” Raj said. “The payload is a new version of the Atomic Stealer for OSX, which focuses on stealing crypto assets and harvesting passwords from browsers and Apple’s keychain.”

Moonlock Lab researchers dived deep into the complexities of the Atomic Stealer (AMOS) campaign. In September 2023, researchers from Malwarebytes uncovered that the bad actors behind AMOS were targeting macOS users who searched for TradingView, a popular financial markets tracking platform. They did this by abusing Google Search ads.

“Threat actors used special font characters in the ad to make the fake domain (tradıņgsvıews[.]com) appear authentic and evade detection,” they explained. “Users clicking on the ad were redirected to a phishing page (trabingviews[.]com), where a seemingly authentic site prompted them to download the malicious file (TradingView.dmg).”

But even after the word was out that AMOS was illegally impersonating TradingView and the malicious sites got flagged, AMOS didn’t stop there. They doubled down on the fraud.  

In January 2024, Malwarebytes once again saw the Atomic Stealer back in business. This time, they impersonated none other than Slack. The goal was to lure victims to a decoy malicious Slack download app promoted as being available for Windows and Mac.

A screenshot of Atomic Stealer posing as a Slack download page.
Screenshot of the AMOS Atomic Stealer posing as a Slack download page.

Other Mac threats to consider: Crypto and phone scams 

Moonlock experts highlighted other threats that Mac users should be aware of, including:

  • Crypto-related scams: By leveraging malvertising and SEO poisoning tactics, threat actors could cause numerous crypto-related scam websites to appear at the top of Google Search results.
  • Telephone number scams: Scammers used a forum-style site to post messages intentionally picked up by Google. This led to the display of fraudulent search results. The fake post included a number that appeared on the top Google Search results. A Reddit member reported one such case a few days prior to this writing. According to the report, “Victims were directed to call fake airline numbers where scammers demanded credit card information under the guise of handling change fees.”

Cybergangs in the Google Search business 

Black hat hackers working for cyber gangs are actively seeking new ways to breach devices. They will continue to use Google Search because there is no bigger digital platform out there that gives them the scope and flexibility they need to constantly innovate. 

“The internet is dynamic, with new content being constantly created and existing content being updated,” researchers at Moonlock Lab explained. “Cybercriminals leverage this dynamic nature to launch short-lived yet impactful campaigns that can quickly adapt to changing circumstances and avoid detection.”

It’s difficult to rule out any cybercriminal organizations from abusing Google Search and Google Ads. But, according to Raj, some big names in the underground world are worth highlighting. 

“Several cyber gangs are known for their involvement in SEO poisoning and malvertising,” Raj told Moonlock. “These include the REvil ransomware gang and the SolarMarker backdoor group. Other actors include those behind the Gootloader and BATLoader campaigns.”

Why isn’t Google stopping cybercriminals?

Google is a leading technology company with dollar values in the trillions. It has nearly endless resources and global influence and hires top talent. As a brand, Google is always on the front line of cybersecurity innovation. Yet, when it comes to malvertising and SEO poisoning, cybercriminals are easily slipping through the cracks.

Naturally, the big question is, why isn’t Google shutting down cybercriminals that exploit their search engine, brand, policies, and technology?

“Despite Google’s extensive guidelines and precautions, the abuse of its tools persists due to the sophistication and adaptability of cybercriminals,” Raj said. “They constantly devise ingenious ways to evade Google’s anti-abuse radar. Moreover, the sheer scale of Google’s operations makes it challenging to detect and eliminate every instance of abuse.”

The experts at Moonlock agreed. And while they recognized that Google invests heavily in cybersecurity and employs a range of preventive measures, they warned that the ever-evolving nature of cyber threats means that no system is entirely immune. 

Too big to win?

That which makes Google Search so valuable is the same thing that makes it vulnerable: its volume and scale. 

“The huge volume of websites, ads, and user-generated content makes it challenging to review and monitor everything effectively,” said Moonlock Lab. “Moreover, Google operates in numerous countries and languages, each with its own set of challenges and regulations. Coordinating efforts to combat abuse on a global scale is complex.”

Additionally, criminals leverage the innovation that Google builds to outperform other search engine rivals. 

“Google relies heavily on automated systems and algorithms for tasks like indexing, ranking, and content moderation,” our experts explained. “While these systems are efficient, they may struggle to distinguish between malicious and legitimate content. Techniques like obfuscation, domain impersonation, and social engineering are constantly improved, making it difficult for automated systems to keep up.”

McStay believes that what is happening in Google is a reflection of the real world. “The main reason why Google can’t stop crime is the exact same reason why we still have crime all around the world: resource constraints,” McStay said. “Despite the massive amount of resources Google has, it just simply isn’t enough to prevent cyber crimes from happening.”

Cybercriminals aren’t just hacking the Google system to make it work in their favor. They are bringing their own new toys to the play. And AI and automation are rapidly becoming some of their favorites. 

According to experts at Moonlock Lab, AI helps cybercriminals increase the scale, efficiency, and evasiveness of their campaigns. They use AI for:

  • Keyword optimization: Tools automate the injection of excessive keywords into web content to manipulate search engine algorithms. This helps malicious sites appear more relevant and gain higher search rankings.
  • Content spinning: Such AI-driven tools can automatically generate multiple variations of the same content. Threat actors use this technique to create seemingly unique but malicious content that can bypass traditional detection methods. For instance, Malwarebytes wrote in their latest report that the content of the fake WinDirStat site looks like it was generated via ChatGPT or some other large language model (LLM).
  • Automated web crawlers: AI-driven crawlers scan websites, identifying vulnerabilities or opportunities for SEO manipulation. They inject malicious content or tweak existing pages.
  • Link farming: AI identifies authoritative websites and creates a network of backlinks to the malicious site. This improves the site’s search engine ranking.
  • Fake account creation: Automated tools can generate fake accounts on social media or other platforms. This helps criminals amplify the reach of malicious content and create a facade of legitimacy.
  • Dynamic URL generation: Threat actors use AI-powered tools to create dynamic and constantly changing URLs. This makes it harder for security systems to track and block malicious links. Notably, such a tool has been openly promoted on dark web forums, with a Russian-speaking threat actor offering comprehensive guidance on their usage for a fee of $3,500 USD.

Raj told Moonlock that cybercriminals use automated tools such as SEO Autopilot for website optimization and malware like Gootloader and BATLoader for SEO poisoning. “These tools help them manipulate search engine results, trick users into visiting malicious sites, and ultimately infect their systems.”

Final thoughts: When cybercrime is normalized

We could end this report with the usual recommendations for our readers. Tips like the following:

  • Always double-check URL addresses.
  • Be cautious when downloading files and apps.
  • Be extra careful of what ad or search result you click on.
  • Use a trusted anti-malware and a secure browser.

These are all valid tips. But how long will users have to take responsibility for security problems caused by platforms or companies that simply don’t do enough to protect them?

We believe it is best to end this report with a call to Google and all other search engine companies. In the name of all users, search engine platforms need to level up their game and draw a hard line in the sand.

Stopping malvertising and SEO poisoning is a monumental and resource-consuming task. It would require hiring new security experts and developing new security software. And while it may also translate to some economic losses for Google (the amount of money cybercriminals spend on Google Ads is surely significant), a safer platform is more valuable.

The worst thing that could happen would be for the cybersecurity community, ethical hackers, businesses, and organizations to simply accept cybercrime and cyberwarfare as the new normal. But normalizing crime, or shrugging it off and claiming the problem is just too big, isn’t the solution.

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Google LLC. Google Search and Google Ads are trademarks of Google LLC.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.