Google Ads Malvertising Scam
Cybersecurity researchers have uncovered a new malvertising campaign targeting individuals and businesses that advertise via Google Ads. This scheme involves deceptive ads that impersonate Google Ads itself, luring victims into phishing traps designed to steal their credentials.
Table of Contents
Aiming for Account Takeover
The attackers' primary goal is to hijack as many Google Ads accounts as possible. By redirecting victims to fake login pages, they steal credentials that could be reused to expand their campaigns. Additionally, these misappropriated accounts are likely being sold on underground forums. Reports on Reddit, Bluesky, and Google's support forums indicate that this activity has been ongoing since at least mid-November 2024.
Similarities to Facebook Business Account Tactics
The tactics used in this campaign closely resemble those employed in past attacks targeting Facebook business and advertising accounts. In those cases, cybercriminals deployed stealer malware to gain unauthorized access and use the hijacked accounts for fake advertising campaigns that further spread the malware.
Search Engine Exploitation and Redirect Tactics
The threat actors have designed their campaign to appear when users search for "Google Ads" on Google's search engine. Clicking on these fraudulent ads leads users to phishing sites hosted on Google Sites. These sites then direct visitors to external phishing pages that capture login credentials and Two-Factor Authentication (2FA) codes. The collected data is then transmitted via WebSocket to an outside server managed by the attackers.
Leveraging Google Ads’ URL Policies
One key strategy enabling this attack is Google Ads' policy that allows the final URL (the destination page after clicking an ad) to be different from the display URL as long as the domains match. This loophole enables attackers to host intermediary phishing pages on Google Sites while displaying URLs that appear to be legitimate Google Ads links.
Advanced Evasion Techniques
To evade detection, the attackers employ several techniques, including fingerprinting, anti-bot detection, cloaking, CAPTCHA-inspired lures, and obfuscation methods that conceal the true nature of their phishing infrastructure. These tactics help them bypass security measures and avoid being flagged by automated systems.
Weaponizing Compromised Accounts
Once an account is compromised, attackers log in, add a new administrator, and exploit the victim's ad budget to run fraudulent Google Ads. This allows them to expand their phishing operations further, creating a cycle where hijacked accounts are used to lure in even more victims.
Possible Links to Brazil-Based Threat Actors
Evidence suggests that multiple individuals or groups are behind these campaigns. Notably, many of them are Portuguese speakers and likely operating out of Brazil. The phishing infrastructure utilizes intermediary domains with Portugal's .pt top-level domain (TLD), further supporting this hypothesis.
Google’s Response to Fraudulent Advertisements
Google has acknowledged these malevolent campaigns and is actively monitoring its ad network to prevent abuse. The company enforces strict measures against deceptive advertisers who attempt to mislead users about their businesses, products, or services.
Billions of Advertisements Removed to Combat Threats
In 2023 alone, Google removed over 3.4 billion ads, restricted more than 5.7 billion advertisements, and suspended approximately 5.6 million advertiser accounts. Of these, 206.5 million ads were explicitly blocked for violating Google's Misrepresentation Policy. These figures highlight the ongoing battle against fraudulent advertising and Google's commitment to maintaining ad integrity.