Google has been in the news lately for a variety of reasons, and now they’re helping to protect you from malware. A fake brave website that looks just like the real site is pushing out malicious code onto unsuspecting victims. The creators are using lookalike domains with names similar to our own, so instead of typing www.bravebrowser.com, users could easily be tricked into visiting http://www-brave***-*** which would deliver them malware when they click on it because it’s not our official domain name at all!
The near-perfect replica of Brave.com has been causing a huge ruckus, as it was caught using Google Ads to promote a malware-laden website that impersonated the official Brave browser. The visitors are prompted to install a remote access malware which is also known as ArechClient or SectopRat. Google has removed the malicious ads after the original Brave team brought them to the search colossus’s attention.
Brave is a Chromium-based, privacy as well as security-centered web browser that features an inbuilt ad-blocking tool called Brave Shield.
How bad is the fake brave website pushed malware?
Attempting to download the browser‘s installer initiates a download of an ISO disk image that has a size of 303 MB and contains a single executable. It was instantly pointed out by 8 antivirus engines on Virus Total and the contained executable file was marked by 16. To steer traffic towards this fake site, the scammers purchased ads on Google, displayed the ads when users were searching for things involving browsers. For example a domain mckelveytees.com was shown, a site that sells apparel for professionals.
Turns out mckelvetees.com wasn’t the only one, the others including the Punycode and translated domain, are: (registered through Namecheap)
NameCheap did take down the malicious domains after receiving information.
These attacks are not just unpredictable but are ridiculously hard to detect too. In A domain that hosts a carbon copy of the spoofed website, even security-aware people can be fooled. As the attacker has absolute sway over the puny code domain, the impostor site might also be having a valid TLS certificate. There are no crystal clear ways to avoid these threats other than taking a few extra seconds to inspect the URL after it appears in the address bar. Though these kinds of attacks aren’t new, you could say that they are still in their prime.
If you liked this article (or if it helped at all), please leave us a comment below or share it with friends, so they can save themselves from this attack too.