Careful — this Google ad could swipe your bank data without you knowing

Using Google ads to push their malicious sites to the top of the results page is a trick cybercriminals use all too often. The latest example is a fake Homebrew website that uses an infostealer to swipe personal data, browser history, login information, and bank data from unsuspecting victims.

Spotted by Ryan Chenkie on X and reported by BleepingComputer, the malicious Google ad even displays the correct Homebrew URL “brew.sh,” so there’s no real way to spot the trick before clicking.

Recommended Videos

⚠️ Developers, please be careful when installing Homebrew.

Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo

— Ryan Chenkie (@ryanchenkie) January 18, 2025

For anyone who did click, the ad redirected them to a clone of the site hosted at “brewe.sh,” revealing the incorrect URL. According to a reply to the X post from Google’s Logan Kilpatrick, the ad has now been taken down — so no need to worry if you’re reading this. However, Chenkie and many of his commenters were surprised and confused by the ad’s ability to display the correct URL despite it not matching the link’s destination.

It seems this strategy is called “URL cloaking” and Google has told BleepingComputer that it happens because “threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites that a regular visitor would see.”

Clearly, there’s a lot of work going in to trick Google into doing this, which means it could be a difficult problem for Google to fix. Right now, the company is “increasing the scale of its automated systems and human reviewers” to try and combat the problem, which certainly sounds expensive.

It’s possible that this URL cloaking technique makes it much easier for cybercriminals to target websites like Homebrew. As a software package management system for macOS and Linux, its audience is pretty much guaranteed to be more knowledgable than the average online shopper and likely wouldn’t fall for an ad that blatantly displayed an incorrect URL.

The infostealer used in this campaign was identified by security researcher JAMESWT as AmosStealer (also known as Atomic), and it’s specifically designed for macOS systems. Developed using Swift, the malware can run on both Intel and Apple Silicon devices and it’s sold to cybercriminals as a $1,000-per-month subscription.

If you’re worried about malware campaigns like this, there are a few things you can do to stay safe. Firstly, as well as checking an ad’s displayed URL before you click, it’s now a good idea to check the URL of the page once it loads. Remember that only one character needs to be different, so make sure you do more than just give it a glance.

Another way to avoid malware spread by Google ads specifically is to stop clicking on Google ads. If you search for a specific site, the normal version will always be included in the results below, so just skip the ad completely and avoid trouble that way. Otherwise, if you see an ad you’re interested in, search the name of the company or product it’s advertising rather than clicking on the ad directly.

Lastly, if this is just one of many Google-based annoyances for you, you can always consider kicking Google to the curb. Search engines focusing on improved privacy such as DuckDuckGo or Qwant in Europe are viable alternatives if you’re interested in trying something new.

Editors’ Recommendations

  • Google’s Gemini wants to get to know the real you

  • Google is changing everything you know about Chromebooks

  • This Google Chrome feature may save you from malware

  • This PowerPoint ploy could help hackers empty your bank account

  • Check your inbox — Google may have invited you to use Bard, its ChatGPT rival




Related posts

Latest posts

Nvidia’s RTX 5080 doesn’t dethrone the RTX 4090

The RTX 5080 is not the powerhouse we'd hoped it would be, but can it at least be a cheaper, more efficient alternative to the 4090? Let's find out.

This HP Envy laptop with Copilot and a 17-inch screen is $450 off

The HP Envy 17t laptop, which can smoothly run Microsoft Copilot and comes with a 17.3-inch Full HD screen, is on sale from HP at 39% off for a $450 discount.

Apple is no longer working on smart glasses to rival Meta

Apple has reportedly cancelled development of its augmented reality (AR) glasses due to performance issues and an unclear goal.

We finally have a name for Samsung’s teased tri-fold phone

Samsung's rumored tri-fold phone might be called the Galaxy G Fold, according to the tipster who first alerted us to its existence.

This terrible Samsung camera ruined my day out

Equipped with the Samsung Galaxy S25 Ultra and an old Samsung digital camera, I had a day out taking photos. One of them ruined it.

Samsung Galaxy S25 Plus vs. iPhone 16 Plus: which mid-priced phone is the best?

Let’s dive into a comparison between the Samsung Galaxy S25 Plus and the Apple iPhone 16 Plus to discover which device truly stands out.

I’ve spent a week with the Galaxy S25 Ultra and I’m torn

It's been about a week since the Galaxy S25 Ultra arrived, and since then, I've learned quite a bit more

After a week with the Galaxy S25 Plus, it’s starting to give me Pixel vibes

Here are early impressions of the Galaxy S25 Plus after spending a week with the phone.

For me, the right time to buy a Galaxy S25 is next year

With new hardware and software, I'd wait to buy an S25. You'll save a lot of money, too!

Top Stories: iOS 18.3 Released, AirPods News, and More

January has come to a close, with Apple pushing out iOS 18.3 and related software updates in the final week