Researchers from Mandiant and Google have uncovered how cybercriminals are repurposing digital analytics and advertising tools to enhance their malicious campaigns.
These tools, typically used by marketers and advertisers to deliver targeted content, are being weaponized to evade detection and increase the impact of cyberattacks.
cybercriminals are increasingly using Search Engine Marketing (SEM) tools to refine their malvertising campaigns by identifying high-traffic keywords that attract potential victims.
Much like legitimate marketers, these threat actors begin by analyzing which advertising keywords yield the most user interactions.
For instance, data from a competitive intelligence tool revealed that in June 2024, an estimated 220,000 clicks were generated by ads linked to the keyword “advanced ip scanner” across multiple domains.
Notably, two domains, “ktgotit[.]com” and “advanced-ip-scanner[.]com,” which previously generated significant traffic, had no activity in June 2024 but remained associated with the same keywords.
By correlating this data with historical ads, cybercriminals could identify effective ads linked to these domains as templates for their malicious campaigns, illustrating how SEM tools are being co-opted for nefarious purposes.
The Weaponization of Link Shorteners
Link shorteners, such as bit.ly, have become a staple in the digital world since their inception around 2000. While they are commonly used to track click-through rates and simplify complex URLs, cybercriminals have found ways to exploit these tools.
Mandiant’s research highlights how threat actors use link shorteners to obscure malicious URLs and redirect victims during the initial stages of an attack.
Notable incidents include phishing campaigns and malvertising efforts that leverage these shortened links to deceive users and distribute malware.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
IP Geolocation Utilities Misused
IP geolocation utilities, designed to provide insights into the geographic reach of advertising campaigns, are also being misused by attackers.
These tools allow cybercriminals to track the spread of their malware and tailor their attacks based on the victim’s location.
For instance, the Kraken Ransomware uses geolocation data to monitor infection rates, while other malware variants adjust their behavior based on the victim’s IP address to avoid detection.
CAPTCHA Technology Exploited
CAPTCHA technology, intended to differentiate between human users and bots, is being manipulated by cybercriminals to protect their malicious infrastructure.
By implementing CAPTCHA challenges, attackers can prevent automated security tools from accessing and analyzing their phishing pages. This tactic allows them to screen out non-human traffic while ensuring that human victims can still access malicious content.
Defending Against These Threats
Experts advise that completely blocking the use of these tools is impractical due to their legitimate applications. Instead, organizations should focus on detection and mitigation strategies.
This includes monitoring network telemetry for suspicious patterns, implementing automated analysis of link shorteners, and refining detection strategies for CAPTCHA and geolocation abuse.
Marketers consider various factors when running ad campaigns, including ad content, target demographics, geolocation, and timing.
To refine their strategies, they often use competitive intelligence tools like AdBeat, Google, and Meta repositories to analyze competitors’ ads, keywords, and landing pages.
However, threat actors can also exploit these tools to set up malicious ad campaigns, which is known as malvertising.
By leveraging insights from these tools, attackers can craft and execute malvertising campaigns effectively, as demonstrated in a real-life case investigated by Google Ads researchers.
As digital tools continue to evolve, so do the tactics of cybercriminals. It is crucial for organizations to stay informed about these emerging threats and adapt their security measures accordingly. By understanding how these tools can be exploited, defenders can better protect their environments and mitigate the risks posed by these sophisticated cyberattacks.
For more information on how to protect against these threats, visit our detailed analysis on the Perplexity News website.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial