Google

Threat actors are using Google Alerts to promote a fake Adobe Flash Player updater that installs other unwanted programs on unsuspecting users’ computers.

The threat actors create fake stories with titles containing popular keywords that Google Search then indexes. Once indexed, Google Alerts will alert people who are following those keywords.

When visiting the fake stories using a Google redirect link, as shown below, the visitor will be redirected to the threat actor’s malicious site.

Example Google Alerts link for a fake story

However, if you visit the fake story’s URL directly, the website will state that the page does not exist.

Page does not exist when directly visiting the URL
Page does not exist when directly visiting the URL

This past week, BleepingComputer has been monitoring fake stories being indexed by Google and pushed out by Google Alerts. These have been redirecting users to web pages pushing browser notification spam, unwanted extensions, or fake giveaways, like the Amazon one below.

Fake Amazon giveaway scam
Fake Amazon giveaway scam

Threat actors switch to a new campaign

This weekend, BleepingComputer observed the fake news stories redirecting to a new campaign that states your Flash Player is outdated and then prompts you to install an updater.

Website stating Flash Player needs to be updated
Website stating Flash Player needs to be updated

While Adobe Flash Player has reached the end of life and is no longer supported by any browsers, many people may not realize this and click on the ‘Update’ button thinking they are installing the latest update.

If a user clicks on the Update button, they will download a setup.msi file [VirusTotal] that installs a potentially unwanted program called ‘One Updater.’

One Update potentially unwanted program
The One Updater potentially unwanted program

Over time, One Updater will display updates that should be installed and offer potentially unwanted programs.

While we have not seen One Updater pushing anything malicious at this time, similar software in the past has installed password-stealing Trojans and cryptocurrency miners.

If you are redirected to a website, whether via Google Alerts, Google Search, or any other means and are prompted to install an extension or program update, simply close the browser.

Installing these programs typically leads to malicious activity or unwanted behavior that only benefits the application developers.