HomeWinBuzzer NewsGoogle Ad for GIMP.org Was Sending Users to a Malware Site

Google Ad for GIMP.org Was Sending Users to a Malware Site

Google Search was surfacing an ad for GIMP.org which was actually a mimic website that was using phishing to install malware.


GIMP is a very popular open source graphics editor that probably gets thousands of searches on each day. However, up until a week ago searching for GIMP would see Google surface an ad that seemed to head to the official GIMP.org website. All good, but it seems that the ad was actually sending users to a lookalike website to deliver malware.

In a strange case of a malvertising campaign somehow infiltrating the largest ad network in the world, the GIMP lookalike website was the base for a campaign. It would attempt to fool users into installing a malicious Setup.exe.

Users were thinking they were installing a new GIMP tool on Windows, but really they were getting served malware.

False domains have been spotted by users, including Reddit user ZachIngram04, and outlets like BleepingComputer. The attack method evolved over time. At first, users who clicked the add in were sent to a Dropbox URL where the malware was.

However, the threat actor became more sophisticated and create a replica GIMP.org website.


Of course, the real question is how did this malvertising campaign end up on Google when the user was looking for GIMP? The ad was showing GIMP.org but sending users to the fake malware phishing site.

One theory is the company allows publishers to build ads with two URL options. One is the display URL that shows in the ad and the second is the landing URL where the user is send to.

These URLs can be different. However, Google uses best-in-class policies to protect against what URLs can be used. The company explains how this works in its official documentation:

“Your ads' URLs should give customers a clear idea of what page they'll arrive at when they click on an ad. For this reason, Google's policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad.”

None of that really explains how this issue was allowed to happen. Google has yet to offer any official comment, so maybe there is a bug in Google Ads.

Tip of the day: The Windows Clipboard history feature provides the functionality across device, space, and time, letting you copy on one computer and paste the text days later on a different PC. All of it is possible via the Windows 10 clipboard manager, which lets you view, delete, pin, and clear clipboard history at will.

In our tutorial we show you how to enable the feature, clear clipboard history, and enable/disable clipboard sync to meet your preferences. You can also create a clear clipboard shortcut for quick removal of stored content.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.