A method that abuses search ads to impersonate official sites and spread malware is spreading.
On the 3rd, according to the Korea Internet & Security Agency (KISA), an unidentified hacking group suspected of being state-backed recently created and distributed a phishing site that impersonated the official download page for "KakaoTalk."
The site was designed to appear at the top of search engine results such as Google and Bing. Users are tricked into mistaking it for the official page and downloading an installer that contains malware. This is an "SEO (Search Engine Optimization) poisoning" technique that manipulates top search rankings to lure users to malicious sites.
In fact, more than 560 pieces of malware were found to have been distributed through a phishing site disguised as the download page for the "KakaoTalk PC version" over roughly two months from Feb. 10 to Apr. 14 this year. If a user runs the disguised installer, malware executes on the user's PC and there is a risk that sensitive information on the PC will be leaked externally.
Such attacks are spreading to services that draw strong user interest. Security firm AhnLab said it recently identified a phishing site that closely mimicked the Claude download page. The attacker is believed to have used Google search ads so that the site appeared at the very top of search results for keywords such as "Claude app" and "Claude desktop."
KISA said, "When installing major software (SW) such as KakaoTalk, download it through the official website rather than search results, and among search results, you must check whether the URL of items marked as 'Ad' or the top-exposed link matches the normal site before accessing."