One of the monetization techniques used by Google is show ads in the first results. Anyone can hire this service, called Google Adwords, to show results in the first positions when users make any query in the search engine. It is generally used so that certain companies, with poor SEO, can appear before their competition when people search for information about them. But unfortunately, it can also be used to trick users into downloading all kinds of malware.
GNU Image Manipulation Program, better known as GIMP, is a well-known program for PC. This software becomes a free alternative to photoshop for all those users who are looking for a simple and free program to be able to edit and retouch photos.
Until last week, when users searched for this program on the Internet, the first result that appeared was an AdWords ad. This ad displayed a URL that appeared to be authentic on the Google banner itself. But, when clicking on it, and analyzing the domain that loaded us on the PC, we can see that it is actually a fake domain, “gilimp.org”, used to distribute malware.
How is this possible? It’s actually very simple. When they record the URL of the web page, use cyrillic characters for gіmp.org, which in appearance are going to reach us to a web page, but, in reality, they are taking us to a different domain. This is possible thanks to the fact that Google allows the use of different URLs in the display URL and destination URL sections, and is used by some advertisers to send users to specific areas of the web. But, in this case, the purpose is different.
We remind you that the official GIMP website is www.gimp.org. All the others are fake pages that, in one way or another, try to trick us. Even the first result that appears when searching from Google Spain, which leads us to a false and misleading website.
A known malware inside
The web page, in appearance, is the same as the original GIMP page. Even when downloading, we can see that we download a file of about 700 megabytes, just like the real image editor. However, this package is fake, and actually only hides a 5-10MB malware inside.
Once the malware is installed, the victims find that they have installed on their PC a variant of a well-known Trojan used to steal all kinds of data from the victims called «VIDAR». It connects remotely to a control server and waits for instructions. Among other things, the information it is looking for on our computer, and which it sends to the pirates’ servers, is:
- All browser data (history, cookies, passwords, bank details, etc.).
- Cryptocurrency wallets.
- Specific files on the PC.
- Telegram credentials.
- File transfer service credentials (WinSCPi, FTP, FileZilla).
- Email data.
If we have fallen for this deception, it is vital to secure our computer as soon as possible. We must analyze it with a good antivirus and anti-malware to clean all traces of this VIDAR before it continues stealing more information about us. In addition, it is also necessary to take the protection measures that we consider appropriate, such as change passwords or notify the bank to change the credit card information and protect our accounts.