🚨 Fake Homebrew Google Ads Target Mac Users with Malware 🚨

Hackers are exploiting Google Ads to spread malware, targeting unsuspecting Mac and Linux users through a fake Homebrew website. This campaign delivers an infostealer designed to steal credentials, browser data, and cryptocurrency wallets, posing a significant threat to digital security.

The Discovery of the Campaign

Security researcher Ryan Chenkie identified the malicious campaign, warning users on X (formerly Twitter) about the risks of falling victim to malware infection. The malware, known as AmosStealer or 'Atomic,' is a sophisticated infostealer tailored for macOS systems. Sold to cybercriminals as a subscription service for $1,000 per month, AmosStealer is gaining popularity in the dark web community.

The stealer has been observed in other recent campaigns, including fake Google Meet pages, and is becoming a favorite among attackers targeting Apple users due to its high efficacy and tailored design for macOS.

Targeting Homebrew Users

Homebrew is a widely-used open-source package manager for macOS and Linux, allowing users to install, update, and manage software through the command line.

Hackers leveraged Google Ads to display an advertisement that seemed to link to Homebrew's legitimate website, brew.sh. However, clicking on the ad redirected users to a fake site hosted at brewe.sh. This slight variation in the URL tricked even seasoned users into visiting the malicious page.

Such tactics, where scammers mimic legitimate websites, are a hallmark of malvertising campaigns. These campaigns exploit slight differences in URLs, making it difficult for users to distinguish between real and fake websites.

How the Attack Works

Visitors to the fake Homebrew site were presented with installation instructions resembling those on the legitimate website. They were prompted to copy and paste a command into the macOS Terminal or Linux shell prompt, as they would on the authentic site.

However, running this command downloaded and executed the AmosStealer malware on the user’s device.

Capabilities of AmosStealer

The Amos malware is a powerful infostealer designed to target sensitive data. Its capabilities include:

Targeting Cryptocurrency Wallets: Supports over 50 cryptocurrency browser extensions and desktop wallets.

Data Exfiltration: Extracts data stored in web browsers, including saved passwords, cookies, and browsing history.

Broad Espionage: Tracks user activity and exfiltrates sensitive information.

This makes it a potent threat for individuals who use their devices for financial transactions or store sensitive information on their systems.

Response from Homebrew

Mike McQuaid, the project leader of Homebrew, acknowledged the situation and expressed frustration with Google’s lack of scrutiny over paid advertisements.

Mac Homebrew Project Leader here. This seems taken down now, tweeted McQuaid. "There's little we can do about this really, it keeps happening again and again, and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good."

Although the malicious ad has been removed, McQuaid cautioned that similar campaigns might resurface using alternative domains.

Google’s Ad Malvertising Problem

This incident is part of a broader problem with malicious advertisements in Google Search results. Threat actors frequently exploit Google Ads to deceive users and run harmful campaigns under the guise of legitimate, verified entities.

In this case, the attackers mimicked Homebrew’s website, but similar tactics have been used for other popular platforms and software.

For example, a recent campaign targeted Google advertisers to hijack their accounts and deploy scams under the banner of legitimate brands. This recurring issue underscores the need for stricter oversight and proactive measures from Google.

How to Stay Safe

To minimize the risk of falling victim to such campaigns, users should adopt the following precautions:

Double-Check URLs: Always verify the URL before clicking on links or entering sensitive information. Even minor differences, such as an extra letter or altered domain, can signal a fraudulent site.

Use Bookmarks: Bookmark official websites for frequently visited projects or tools, such as Homebrew, and use those links instead of relying on search engines.

Avoid Sponsored Links: When downloading software, steer clear of sponsored ads and look for the official link in the search results.

Stay Updated on Threats: Follow trusted cybersecurity resources to stay informed about the latest campaigns and attack methods.

Enable Security Protections: Use antivirus tools and browser extensions that warn of known phishing and malware domains.

The Bigger Picture

The rise of malvertising campaigns targeting trusted platforms like Homebrew highlights the need for vigilance among users and accountability from technology providers. While Homebrew’s team acted swiftly to mitigate the issue, the recurrence of such attacks points to broader challenges in securing the digital ecosystem.

Google, as the primary platform for these ads, must prioritize stricter monitoring and enforcement to prevent malicious actors from exploiting its services. Until then, users must remain cautious and proactive in verifying the authenticity of links and software.

Conclusion

The fake Homebrew campaign demonstrates how easily attackers can exploit trusted platforms to deploy malware. With AmosStealer at the helm, cybercriminals are targeting a growing number of macOS and Linux users, stealing sensitive data and compromising financial assets. By staying informed, adopting safe online practices, and relying on trusted sources for downloads, users can significantly reduce the risk of falling victim to such attacks. Cybersecurity remains a shared responsibility, and raising awareness is a critical step toward a safer digital world.