FortiGuard Labs is aware of a report that the IcedID threat actor started to abuse Google pay per click (PPC) to distribute malware. Malicious ads displayed above search results lead to fake Web sites that mimic Web sites of the legitimate services. The fake Web sites offer a download link that leads to malicious installers that install IcedID to victims’ machines.Why is this Significant?This is significant because Google offers the largest search engine and ads in search results are seen by billions of people every day. The IcedID threat actor reportedly started to abuse Google search, which provides them a prominent platform for malware distribution. Also, the threat actor created fake Web sites that mimic Web sites of legitimate and popular services and applications to trick users into downloading and running malicious installers. How Does the Attack Work?When a search is made on Google, ads from the threat actor are displayed above an actual search result. Clicking the malicious ads redirect users to Web sites that that mimic Web sites of legitimate and popular services and applications. The fake Web sites have a link to download malicious installers that install IcedID to victims’ machines.What else?On December 21st, 2022, Federal Bureau of Investigation (FBI) released an advisory that cyber criminals are leveraging search engine advertisement services for malicious purposes. The advisory specifically calls out threat actors created fake crypto exchange platforms that users are lured into from ads on search results. The fake crypto exchange Web sites are designed to trick users into enter login credentials.What is the Status of Protection?FortiGuard Labs detect the Iced ID and relevant samples in the report with the following AV signature:W64/IcedId.F!trIcedID Command-and-Control servers and fake Web sites that distribute IcedID malware are blocked by Webfiltering.