The AI race is on! It’s simple to lose monitor of the newest developments and potentialities, and but everybody needs to see firsthand what the hype is about. Heydays for cybercriminals!
21 Aug 2023
4 min. learn
My first “huh?” second was that the shortened URL didn’t embody any Google reference however relatively a hyperlink to rebrand.ly – a service with no apparent ties to Google and with places of work in Dublin, Eire. It appeared odd for an web large to be utilizing the companies of one other supplier and my suspicion was triggered. I then re-read the textual content of the commercial and though I’m not a local English speaker, I discovered it onerous to imagine that nobody appeared to have proofread that relatively complicated content material.
Did you say “Bots”?
I then proceeded to verify the feedback part under the advert in pursuit of hints in the direction of doable fraud, however to my (little) shock, all of them appeared to like “the app”. Referring to only “the app” appeared relatively common, whereas others praised the “AI”, by no means mentioning Google in any respect. Some had been giving “a 5 Star score” (sic) – in a remark part?! One way or the other, miraculously, it appeared like everybody within the feedback had downloaded and examined the app on the identical time, solely to be writing their feedback at precisely the identical second – which in my case was “6 hours in the past” – solely including as much as my suspicions.
Following the path
I selected to fireside up my protected atmosphere to research somewhat additional. First, I checked the rebrandly-Hyperlink at VirusTotal, which was flagged as malicious by 3/90 distributors. It is a first indicator, however no proof in any respect, as this may occasionally even be a false constructive.
So I went for it and opened the hyperlink in an nameless browser window – which turned out to be an ideal thought because the hyperlink led to an precise Google website –
Had I been accessing the positioning whereas logged-in to my browser, particularly with my Google account in Chrome, the criminals would have probably gained far more details about me than I’d needed!
Whereas the positioning is hosted at Google’s cloud infrastructure, the content material is, after all, not associated nor offered by Google themselves. It additionally provides away a couple of extra hints that one thing shady is about to occur, right here. First, let’s have a look at the web page title on the browser tab: “Trang chủ” (Vietnamese for “house web page”). Moreover, it appears apparent, as soon as once more, that the textual content on the positioning hasn’t been created by a local or a proficient English speaker. This implies that the attackers behind this marketing campaign are based mostly in Vietnam, however after all, not at all that is ample proof.
The “Obtain” button then results in
hxxps://drive.google.com/u/0/uc?id=1sn-Lzt-2vJ_i-6I9lkbGgr_-IN2TVcA-&export=obtain – a private Google Drive area, making an attempt to create the phantasm the marketing campaign was an official providing by Google, although it merely was an affordable imply of distribution for the attackers.
There’s no intelligence, not even synthetic
The file downloaded is a RAR archive –
GoogleAIUpdata.rar. Scanning it or importing it to VirusTotal doesn’t result in something helpful as it’s “protected” with a password. One would possibly marvel why if it was a real obtain from Google, you say? Effectively, this password “safety” acts solely as a straightforward approach for the attackers to get previous malware scanners – nothing else. Should you open the archive (with out unpacking it!) with the password “789” as offered on the obtain web page, you’ll see that the archive incorporates an installer within the MSI (Microsoft Software program Installer) format – Google Bard AI setup.msi. Fortunately, unarchiving instruments like 7-zip present the choice to create SHA-256 (and different) file hashes, which then will be looked for on VirusTotal, once more, with out the necessity to unpack a probably dangerous file.
Wanting up the file offers the final proof that it is a malicious marketing campaign. 26/59 distributors flag the file as malicious, with ESET gifting away somewhat extra data within the detection identify.
On the time of writing the marketing campaign was nonetheless seen in several variations, however I reported it and can most definitely not be the one one doing so. Sadly, plainly this may be a much bigger marketing campaign as I’ve now encountered different examples as “meta AI” or different faux “Google AI” adverts. In any case, this marketing campaign will be thought of a determined try to make a “fast buck” out of the present and ongoing AI hype, spreading ever so annoying Adware to make much more cash. Certainly not this has been a complicated marketing campaign in any respect. However the unhappy actuality is that folks will fall for such scams within the hopes of getting their arms on the newest applied sciences. One other unhappy reality is that we won’t depend on tech giants corresponding to Fb and Google to supply 100% clear and protected environments.
I hope this weblog submit helps somewhat in recognizing the chances and hints and easy methods to examine a possible rip-off or malware assault with out the necessity for costly instruments, proper from house.