Security News > 2022 > November > Google ad for GIMP.org served info-stealing malware via lookalike site
Clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.
Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "Replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware.
All of this has still left users puzzled as to why the Google ad showed 'GIMP.org' as the destination domain in the first place, when the ad actually took users to the fake 'gilimp.org' site.
Google lets publishers create ads with two different URLs: a display URL to be shown in the ad, and a landing URL where the user will actually be taken to.
The two need not be the same, but there are strict policies around what is permitted when it comes to display URLs, and these need to use the same domain as the landing URL. "Advertisers use a landing page URL to send people to a specific area of their website," explains Google.
"Your ads' URLs should give customers a clear idea of what page they'll arrive at when they click on an ad. For this reason, Google's policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad.".