Google has spotted (https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/#comments) an interesting Gimp ad. The user sees a link to the actual editor’s site (gimp.org), but instead he ends up at a fake one with the domain name gilimp.org. On which he gets a VIDAR infostyler bloated to 700 meters. A week ago I wrote (https://t.me/tomhunter/1360) about an active typosquat campaign to spread it.
What’s more interesting is how the attackers have inserted the legitimate address of the site into the ads. There has been speculation that it’s an IDN homonym attack, but that’s unlikely. Google allows you to display a different URL in the ad than the one the user will end up at. But they both have to be on the same domain. Whether this is the result of a bug in Google Ad Manager is not clear. For now we can only say, «Thank you, Google, very cool». And put an adblocker.