Cybersecurity researchers have reported that cybercriminals use a malicious advertising technique called malvertising to steal Google Ads accounts.
Cybersecurity researchers have reported that cybercriminals use a malicious advertising technique called malvertising to steal Google Ads accounts. They target businesses utilising the Google Ads advertising platform. The core of the attack involves a sophisticated phishing scheme. Attackers employ social engineering tactics by crafting fraudulent advertisements resembling legitimate Google Ads interfaces.
These deceptive ads are designed to lure unsuspecting users into entering their Google Ads account credentials on compromised websites controlled by the attackers. After stealing the credentials, the attackers gain unauthorised access to the victim’s Google Ads account, where attackers add new administrators and misuse the account’s budget to run more fake ads, trapping more victims in the scam.
Attackers can exploit these hijacked accounts to launch further malicious ad campaigns, potentially spreading malware or other fraudulent activities. Attackers will likely sell these stolen credentials to other cybercriminals, enabling them to expand their operations and inflict broader damage.
The newly identified campaign closely resembles previous attacks that used stealer malware to hijack Facebook advertising and business accounts to spread malvertising campaigns. In this case, the attackers specifically target users searching for Google Ads on Google’s search engine by displaying fake ads for Google Ads. When clicked, these ads redirect users to fraudulent sites hosted on Google Sites, which act as landing pages.
From there, visitors are led to external phishing sites that capture their login credentials and two-factor authentication (2FA) codes. This sensitive information is stolen using a WebSocket connection and exfiltrated to a remote server controlled by the attackers.
The fake ads originate from various compromised accounts, including individuals and legitimate businesses, some of which already had hundreds of legitimate ads running. This makes the fraudulent ads appear more credible and more challenging to detect.
The campaign cleverly exploits a loophole in Google Ads, which allows the display URL and the final URL to differ as long as their domains match. This lets attackers use sites. Google [.]com for malicious landing pages while showing ads. Google [.] com as the display URL, making the ads appear legitimate. The attackers also use advanced techniques like fingerprinting, anti-bot detection, CAPTCHA lures, cloaking, and obfuscation to hide their phishing setup. Evidence suggests that multiple groups, mostly Portuguese speakers from Brazil, are involved, using .pt domains linked to Portugal for their phishing infrastructure.
The malicious ad campaign exploits a loophole in Google Ads, allowing threat actors to display fraudulent URLs that appear legitimate, making their ads indistinguishable from authentic ones. This tactic does not technically violate Google’s ad policies, and Google has yet to take decisive action, such as freezing compromised accounts until they are secured.
In response, Google has stated that it strictly prohibits deceptive ads designed to steal user data and is actively investigating and addressing this issue.in 2023, Google removed 3.4 billion ads, restricted 5.7 billion, and suspected 5.6 million advertiser accounts, with 206.5 million ads blocked for violating its misrepresentation policy.
Trend Micro reported that attackers use YouTube and SoundCloud to spread links to fake installers of pirated software, which can lead to malware infections. Malware includes Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer. Cybercriminals also use reputable file-sharing services like Mediafire and Megna.nz to hide malware, often encrypting or password-protecting files to evade security analysis and early detection.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.