Unraveling the Sophisticated Phishing Scheme Behind Fake Google Ads

SlowMist
8 min readMar 5, 2024

Event Background

Recently, the SlowMist security team and the Rabby Wallet team discovered a phishing attack method utilizing Google ads. Following this discovery, the SlowMist team collaborated with the Rabby Wallet team to conduct an in-depth analysis of the attack.

According to the Rabby Wallet team, they had not purchased any Google ads. However, the fake ad was redirected to the legitimate official website. This raised the question: was the phishing group spending money to promote a legitimate wallet?

From the perspective of Google search keywords, the top two search results were phishing ads. Interestingly, the link in the first ad was quite interesting, as it displayed the official website address of Rabby Wallet [https://rabby.io]. The question arises: why would the phishing group do this?

Upon investigation, it was discovered that the phishing ads were sometimes redirected to the genuine official address [https://rabby.io]. However, after changing proxies to different regions multiple times, the ads would redirect to a phishing address [http://rebby.io], and this phishing address would undergo updates and changes. At the time of writing, the link redirected to the phishing address [https://robby.page.link/Zi7X/?url=https://rabby.io?gad_source=1].

Technical Analysis

Let’s first explain what 302 is. A 302 is an HTTP status code indicating a temporary redirect (Found). When a server receives a request from a client and needs to temporarily move the requested resource to another location, it returns a 302 status code. This code is accompanied by a Location header in the response, indicating the new location to which the client should be redirected. This type of redirect is temporary.

Our analysis revealed that the phishing ad’s link would undergo multiple 302 redirects. As shown in the example, using the curl command to request the link would initially redirect to a phishing address [https://rabby.iopost.ivsquarestudio.com]. However, during the second 302 redirect, two different outcomes were observed:

1. When using the curl command to request the aforementioned Location address [https://rabby.iopost.ivsquarestudio.com], it results in a 302 redirect to the official address [https://rabby.io].

2. However, when using the curl command to simulate a normal browser request to the same Location address [https://rabby.iopost.ivsquarestudio.com] (with request headers including User-Agent, Accept, Referer, Accept-Encoding, etc.), it redirects to a new Location address [https://dnovomedia.com?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6].

This indicates that the phishing link makes a determination during the second 302 redirect: if the request appears to be from a non-standard browser, it redirects to the official address; if the request seems to be from a normal browser and the region is deemed appropriate, it redirects to a phishing address.

Our tracking found that the final phishing address redirected to was [https://rabbyo.com/index.php?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6].

Upon visiting this phishing link, it was discovered that the phishing page had nearly cloned most of the content from the official website:

By tracking the 302 redirects, the following phishing link addresses were discovered:

- [https://robby.page.link/Zi7X]

- [https://rabby.iopost.ivsquarestudio.com]

- [https://dnovomedia.com?uid=087aa42d-724b-4a1e-bae7-f1f700ce71e6]

- [https://rabbyo.com]

- [https://rebby.io]

Upon querying the threat intelligence platform for the phishing domains [rebby.io] and [rabbyo.com], it was found that both domains were registered in January 2024.

Trojan Analysis

Upon examining the code, it was found that the attackers used the platform Fastpanel:

The phishing backend program uses Fastpanel (Fastpanel is a virtual hosting management panel developed by hosting providers in Russian-speaking regions):

Further inspection of the phishing webpage’s source code revealed that clicking to download the desktop version initiates a client verification process:

If the system detects that the current environment is a Mac computer, it redirects to the download address [https://brandsrocket.com/data/rabby-wallet-desktop-installer-x64-latest.dmg].

It was observed that the Trojan program occupies a very small amount of storage space, only 1.1 MB:

After uploading the Trojan program to an online threat analysis website for examination, it was found that this Trojan sample had been analyzed 19 days prior to the writing of this document and was identified by multiple antivirus engines as a Trojan backdoor program.

The Tech Behind Phishing

It’s evident that from the placement of ads to the creation of phishing websites, and then to the production of Trojans, the phishing operation is conducted smoothly and effectively. What puzzles many is why the advertisement shown in Google search displays the official address, and why there are multiple 302 redirects afterward. Analysis reveals that a key tactic of the phishing group is to exploit Google’s own Firebase short link service’s 302 redirects to deceive Google’s display mechanism.

To understand this process more clearly, it’s also necessary to learn about Google Ads’ deployment mechanism (anyone with a Google account can log into Google’s Ad Manager site [https://ads.google.com] to set up promotions):

1. First, you need to create a new ad campaign on the Ad Manager site aimed at website traffic, with the type set as “Search”.

2. After setting the bid price and the frequency of ad impressions, select the regions and languages for ad distribution. This also explains why advertisements may not appear for the same search keywords in different regions or language settings.

3. A crucial step involves setting up a tracking template. Tracking templates are an advanced feature of Google Ads that allows third-party tracking of ad links.

We noticed that the first redirect link used by the phishing page has a domain name of page.link, which is actually a short address service provided by Google’s Firebase. This service allows any redirect address to be bound to a subdomain of page.link.

Since third-party tracking links need to be addresses certified by Google, and page.link is Google’s own domain, the phishing group was able to bypass this restriction.

4. Once the ad is live, Google does not check in real-time whether the 302 redirect links have changed, nor does it update ad information in real-time. Therefore, the phishing group may change the redirect to a phishing website after the ad has been running for some time.

Similar phishing schemes also appear in various messaging apps. Taking the messaging app Telegram as an example, when a URL link is sent during a chat, Telegram’s backend fetches the URL’s domain, title, and icon for preview display.

However, during the process of fetching preview information, Telegram does not block 302 redirects. Therefore, if users make judgments based solely on the page’s information and then click on the link, they might be redirected to a phishing address.

Conclusion

Users are advised to recognize and trust only the official Rabby Wallet address [https://rabby.io] and not to trust any ad addresses shown in search results. If you fall victim to such scams, it is imperative to transfer your wallet funds immediately and conduct a comprehensive virus scan on your personal computer. Always retain a degree of skepticism before clicking on website links. For additional security knowledge, it is recommended to read the “Blockchain Dark Forest Self-Guard Handbook” written by the SlowMist Security Team and various industry expert.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.