Fake DeepSeek Ads Spread Malware to Google Users

/ DeepSeek / By

Popularity of the generative AI platform makes it an obvious choice for cybercriminals abusing Google-sponsored search results, according to researchers.

UPDATE

Fake DeepSeek ads in Google search results are delivering infostealing malware to unsuspecting users.

DeepSeek, a Chinese generative AI (GenAI) company, became a household name earlier this year when it released its first-generation reasoning models, DeepSeek-R1-Zero and DeepSeek-R1, to much fanfare. But the company quickly became a target of hackers and opportunistic cybercriminals that built social engineering schemes by spoofing the popular AI platform.

DeepSeek Brand Impersonation on Google Ads

Malwarebytes researchers recently spotted such a scam popping up in Google-sponsored search results. In a blog post on March 26, Pieter Arntz, malware intelligence researcher at Malwarebytes, said the fake ads aren’t particularly convincing, but the malicious links imitating DeepSeek’s site are.

When an unsuspecting user clicks on the download link on the malicious site, a Trojan programmed in Microsoft Intermediate Language (MSIL) is deployed. “The payload for the specific campaign we looked at in our blog post is the Heracles MSIL Trojan. Heracles is an information stealer that mostly seems to go after crypto wallets,” Jérôme Segura, Malwarebytes’ senior director of research, tells Dark Reading.

Segura says the origin of the Heracles infostealer is believed to be Russian.

Arntz highlighted several differences between legitimate Google ads and spoofed ones that could help users spot the threats, starting with the links themselves. For example, he noted that the fake DeepSeek ads contained a different URL than the company’s legitimate domain. Additionally, users can check the advertiser behind these sponsored links by clicking on the three vertical dots behind the URLs, which can show whether the advertiser is the legitimate brand owner or not.

But the strongest advice Arntz offered to users was to “not to click on sponsored search results. Ever.”

Ongoing Security Issues With Google Ads

Malwarebytes has previously flagged issues with fake Google sponsored results, including some that spoofed the tech giant’s own products. In the latest report, Arntz said Google is seemingly unable to crack down on the abuse.

“As we mentioned earlier, Google has demonstrated that it can’t keep fake ads out of its sponsored search results,” he wrote. “And apparently the success rate of these fake ads is high enough to allow the criminals to pay Google enough to outrank legitimate brands.”

Segura says Google search ads are being abused at a consistent pace over the last couple of years. “At times we see a surge tied to a specific campaign, but overall, brand impersonation remains an ongoing problem,” he says.

In Google’s “2023 Ads Safety Report” released last March, Duncan Lennox, vice president and general manager of Ads Privacy and Safety, wrote that the adoption of AI technology had improved the company’s ability to prevent or remove abuse. “In 2023, we blocked or removed over 5.5 billion ads, slightly up from the prior year, and suspended 12.7 million advertiser accounts, nearly double from the previous year,” he wrote.

However, Segura says cybercriminals continue to bait-and-switch users using a variety of techniques to abuse Google Ads features. “Whether they are creating fake accounts or using compromised ones, the consequences for creating malicious ads seem to be insufficient to halt their efforts.”

In a statement to Dark Reading, a Google spokesperson said the fake DeepSeek ads have been addressed. ““Prior to the publication of this report, our systems detected this malware campaign and we suspended the advertiser’s account. We expressly prohibit ads that aim to distribute malware and immediately suspend advertisers who violate this policy,” the spokesperson said.