One way that Google makes money is by putting ads in the first search results. Google Adwords is a service that anyone can use to get their results to show up in the first spots when people search for something. But it can also be used to trick people into downloading malware.
GIMP, which stands for GNU Image Manipulation Program, is a popular PC program. This software can be used as a free alternative to Photoshop for people who want a simple and free program to edit and fix photos.
When people looked for this program on the Internet before last week, the first thing that came up was an AdWords ad. This ad showed a URL that looked like it came from the Google banner. But when we click on it and look at the domain that loaded on the PC, “gimp.org,” we can see that it is a fake domain used to spread malware.
How could this be? In fact, it’s very easy. When they record the web page’s URL, they use Cyrillic characters for gimp.org. This makes it look like we’re going to a web page, but we’re actually going to a different domain. This is possible because Google lets you use different URLs in the display URL and destination URL sections. Some advertisers use this to send people to certain places on the web. In this case, however, the goal is different.
We want to remind you that www.gimp.org is the official site for GIMP. All the others are fake pages that try to trick us in some way. Even the first result that comes up when we search on Google Spain takes us to a website that is not what it seems to be.
A known piece of malware
The website looks the same as the original GIMP website. Even when downloading, we can see that the file is about 700 megabytes, just like the real image editor. But this package is a fake and only hides a 5-10MB piece of malware.
Once the malware is installed, the people who get it find out that it is a version of a well-known Trojan called “VIDAR,” which steals all kinds of information from people who get it. It connects to a control server over the Internet and waits for instructions. Among other things, it sends the following information from our computer to the pirates’ servers:
- All browser data (history, cookies, passwords, bank details, etc.).
- Wallets for cryptocurrency.
- Files on the PC that are certain.
- Telegram credentials.
- Credentials for the file transfer service (WinSCPi, FTP, FileZilla).
- Email data.
If we fell for this trick, we need to make sure our computer is safe as soon as possible. Before this VIDAR keeps stealing more information about us, we need to look at it with a good antivirus and anti-malware program. Also, we need to take the safety steps we think are right. For example, changing our passwords or telling the bank to change our credit card information and protect our accounts.