October 17, 2022

Fake google search rewards pop-up attack

Over the past 3 months, we have been closely monitoring a malicious redirect campaign which automatically redirects the user to random fake reward pop-ups without any user intervention. 

Malicious advertisements


Major malware tactics used

  • Device fingerprinting

Malicious behavior 

The threat actor has created a group of several malvertising campaigns that follow the same attack/execution pattern. The creative markup contains the initial first stage malicious JavaScript code hardcoded inside it. When the creative gets executed, the malicious code also gets simultaneously executed in the background without any user intervention. 

This time the first stage malicious JavaScript loader isn’t obfuscated which becomes easy for malware researchers to debug and understand the malicious code flow. They have multiple functions to collect user device information and the bad threat actor creates a second stage unique malicious JavaScript long URL, which automatically redirects and deceives the end user by showing fake Walmart/Google search reward pop-ups. Sometimes, based on the geo-location, the user gets redirected to multiple fake adult dating websites too. 

Sample malicious JavaScript function that collects user timezone location and CPU information. 


Malicious landing pages



`` `` ``