Google Ads Attacked by Malvertising Scam: Secure Login Credentials
AVP SUITE
January 20,2025
7 mins
Google Ads Attacked by Malvertising Scam: Secure Login Credentials
Cybersecurity researchers have raised alarms about a cunning new malvertising campaign targeting individuals and businesses using Google Ads. The attack aims to steal advertiser credentials through fraudulent ads and phishing pages, putting accounts and budgets at risk.
Let’s know more about it.
| Table of Contents!
Phishing for Google Ads Credentials How the Campaign Works Who’s Behind the Attack? Google Responds to the Threat A Broader Cyber Threat Landscape How to Stay Vigilant How to Protect Your Digital Identity and Login Credentials How AVP Suite Protects Your Digital Identity and Login Credentials |
Phishing for Google Ads Credentials
According to Jérôme Segura, senior director of threat intelligence at Malwarebytes, the campaign’s goal is clear: “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.” These stolen credentials are likely being used to launch further malicious campaigns and sold to other cybercriminals on underground forums.
Reports on platforms like Reddit, Bluesky, and Google’s support forums indicate the campaign has been active since at least mid-November 2024.
The attack is eerily similar to earlier campaigns involving stealer malware, which targeted Facebook business accounts for malvertising. However, this campaign specifically exploits users searching for Google Ads on Google’s search engine. When users click on the fraudulent ads, they are redirected to fake landing pages hosted on Google Sites. These pages then lead to phishing sites designed to steal credentials and two-factor authentication (2FA) codes via WebSocket technology, transmitting the data to remote servers controlled by the attackers.
How the Campaign Works
A particularly ingenious aspect of this campaign lies in its exploitation of Google Ads policies. Google does not require the final URL of an ad to match the display URL, as long as the domains align. This loophole allows the attackers to host phishing pages on Google’s own domain, sites.google.com, while showing a legitimate-looking display URL like ads.google.com.
The attackers enhance their phishing infrastructure using advanced techniques such as:
- Fingerprinting to identify specific user devices.
- Anti-bot traffic detection to evade automated scans.
- Cloaking and obfuscation to conceal their malicious activities.
- A CAPTCHA-inspired lure to add a layer of credibility.
Once the credentials are stolen, the attackers exploit them to gain access to Google Ads accounts, add new administrators, and manipulate the victim’s budget to push their own fraudulent ads. This creates a vicious cycle, with hacked accounts being used to target new victims.
Who’s Behind the Attack?
Segura noted that the campaign appears to involve multiple threat actors, most of whom are Portuguese speakers likely operating out of Brazil. Supporting this theory, the phishing infrastructure relies on intermediary domains using the .pt top-level domain, which is indicative of Portugal.
Disturbingly, this activity doesn’t technically violate Google Ads rules. Segura explained, “Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.” Google has yet to demonstrate definitive action to suspend compromised accounts until their security is restored.
Related Read: Starbucks Hit by Ransomware: How and Why: A Detailed Story
Google Responds to the Threat
In response to the alarming revelations, a Google spokesperson issued a statement:
“We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.“
Google emphasized its ongoing efforts to monitor the ads network, enforce its policies, and penalize advertisers who conceal or misrepresent information. In 2023 alone, Google removed over 3.4 billion ads, restricted 5.7 billion ads, and suspended 5.6 million advertiser accounts. Of these, 206.5 million ads were blocked for violating the Misrepresentation Policy.
A Broader Cyber Threat Landscape
This revelation comes alongside another report from Trend Micro, which highlights how attackers are leveraging platforms like YouTube and SoundCloud to spread links to fake installers for pirated software. These installers deploy various malware families, including Amadey, Lumma Stealer, Mars Stealer, and Vidar Stealer.
Trend Micro noted that these malware campaigns often use reputable file-hosting services like Mediafire and Mega.nz to evade detection. “Threat actors often use reputable file hosting services… to conceal the origin of their malware and make detection and removal more difficult,” the company stated. Many malicious files are password-protected or encoded, complicating analysis and enabling the malware to evade early detection.
Also Read: FireScam Malware Targets Telegram Android Users: Security Tips
How to Stay Vigilant
This latest malvertising campaign serves as a stark reminder of the growing sophistication of cyber threats. Businesses and individuals relying on Google Ads should remain vigilant, verify the authenticity of any emails or ads related to their accounts, and implement robust security measures like strong passwords and 2FA.
While Google has pledged to address the issue, this campaign underscores the need for enhanced monitoring and stricter ad policies to prevent such attacks in the future. Until then, the best defense remains awareness and caution.
| Want to Read the Latest Cybersecurity News?
Stay Updated with AVP Daily |
How to Protect Your Digital Identity and Login Credentials
Let’s see how you can secure your digital identity and login credentials:
-
Beware of Phishing Scams
-
Use Strong Passwords
-
-
- Create unique, complex passwords with uppercase, lowercase, numbers, and special characters.
- Never leverage the same password across multiple accounts to minimize risk.
-
-
Enable Two-Factor Authentication (2FA)
-
-
- Add a further layer of security with 2FA, which requires a secondary verification step, like text or email code.
-
-
Avoid Malicious Websites
-
-
- Don’t download files or software from unsafe websites; they may incorporate malware.
- Use equipment like AVP Antivirus Software to block access to dangerous websites automatically.
-
-
Invest in Cybersecurity Solutions and Educate Yourself
-
-
- Choose a comprehensive protection like AVP Total Security, which offers malware removal, phishing protection, and real-time monitoring for online fraud prevention, and stay informed about emerging cyber threats.
-
-
Update Your Devices Regularly
-
- Install the latest updates for your operating systems and applications to stay ahead of cybersecurity threats.
Pro Tip: Protect your digital world with AVP Total Security—your ultimate defense against malware, phishing, and cyber threats!
Read More: How IOCONTROL Malware Threatens US: Tips for Malware Safety
How AVP Suite Protects Your Digital Identity and Login Credentials
-
Comprehensive Malware and Ransomware Protection
-
-
- AVP Suite offers 360-degree virus protection against malware, ransomware, and phishing attempts to safeguard your sensitive information.
-
-
Dark Web Monitoring
-
-
- Detects and alerts you if your personal information, login credentials, or credit card details are found on the dark web.
-
-
Credit Card Fraud Prevention
-
-
- Provides advanced online fraud protection to prevent unauthorized transactions and ensure identity and credit protection.
-
-
Anti-Tracking and VPN
-
-
- Keeps your online activities private by blocking malicious websites and preventing trackers from collecting your personal data.
-
-
Password Manager for Login Security
-
-
- Stores and encrypts all your passwords securely, helping you easily manage complex passwords for improved data privacy.
-
-
Phishing and Online Data Security
-
-
- Detects phishing attacks and blocks malicious links to prevent data breaches and protect your login credentials.
-
-
Real-Time Cybersecurity Defense
-
-
- Monitors cybersecurity threats and data security threats, providing proactive protection against evolving online risks.
-
-
Fraud Protection for Peace of Mind
-
- Offers identity theft and credit fraud monitoring to shield your personal identity and financial assets from cybercriminals.
So, elevate your digital security with AVP Total Security—the ultimate solution for malware removal, data protection, and online safety.
Stay safe, stay private!
Cybersecurity researchers have raised alarms about a cunning new malvertising campaign targeting individuals and businesses using Google Ads. The attack aims to steal advertiser credentials through fraudulent ads and phishing pages, putting accounts and budgets at risk.
Let’s know more about it.
Phishing for Google Ads Credentials
According to Jérôme Segura, senior director of threat intelligence at Malwarebytes, the campaign’s goal is clear: “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.” These stolen credentials are likely being used to launch further malicious campaigns and sold to other cybercriminals on underground forums.
Reports on platforms like Reddit, Bluesky, and Google’s support forums indicate the campaign has been active since at least mid-November 2024.
The attack is eerily similar to earlier campaigns involving stealer malware, which targeted Facebook business accounts for malvertising. However, this campaign specifically exploits users searching for Google Ads on Google’s search engine. When users click on the fraudulent ads, they are redirected to fake landing pages hosted on Google Sites. These pages then lead to phishing sites designed to steal credentials and two-factor authentication (2FA) codes via WebSocket technology, transmitting the data to remote servers controlled by the attackers.
How the Campaign Works
A particularly ingenious aspect of this campaign lies in its exploitation of Google Ads policies. Google does not require the final URL of an ad to match the display URL, as long as the domains align. This loophole allows the attackers to host phishing pages on Google’s own domain, sites.google.com, while showing a legitimate-looking display URL like ads.google.com.
The attackers enhance their phishing infrastructure using advanced techniques such as:
- Fingerprinting to identify specific user devices.
- Anti-bot traffic detection to evade automated scans.
- Cloaking and obfuscation to conceal their malicious activities.
- A CAPTCHA-inspired lure to add a layer of credibility.
Once the credentials are stolen, the attackers exploit them to gain access to Google Ads accounts, add new administrators, and manipulate the victim’s budget to push their own fraudulent ads. This creates a vicious cycle, with hacked accounts being used to target new victims.
Who’s Behind the Attack?
Segura noted that the campaign appears to involve multiple threat actors, most of whom are Portuguese speakers likely operating out of Brazil. Supporting this theory, the phishing infrastructure relies on intermediary domains using the .pt top-level domain, which is indicative of Portugal.
Disturbingly, this activity doesn’t technically violate Google Ads rules. Segura explained, “Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.” Google has yet to demonstrate definitive action to suspend compromised accounts until their security is restored.
Related Read: Starbucks Hit by Ransomware: How and Why: A Detailed Story
Google Responds to the Threat
In response to the alarming revelations, a Google spokesperson issued a statement:
“We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.“
Google emphasized its ongoing efforts to monitor the ads network, enforce its policies, and penalize advertisers who conceal or misrepresent information. In 2023 alone, Google removed over 3.4 billion ads, restricted 5.7 billion ads, and suspended 5.6 million advertiser accounts. Of these, 206.5 million ads were blocked for violating the Misrepresentation Policy.
A Broader Cyber Threat Landscape
This revelation comes alongside another report from Trend Micro, which highlights how attackers are leveraging platforms like YouTube and SoundCloud to spread links to fake installers for pirated software. These installers deploy various malware families, including Amadey, Lumma Stealer, Mars Stealer, and Vidar Stealer.
Trend Micro noted that these malware campaigns often use reputable file-hosting services like Mediafire and Mega.nz to evade detection. “Threat actors often use reputable file hosting services… to conceal the origin of their malware and make detection and removal more difficult,” the company stated. Many malicious files are password-protected or encoded, complicating analysis and enabling the malware to evade early detection.
Also Read: FireScam Malware Targets Telegram Android Users: Security Tips
How to Stay Vigilant
This latest malvertising campaign serves as a stark reminder of the growing sophistication of cyber threats. Businesses and individuals relying on Google Ads should remain vigilant, verify the authenticity of any emails or ads related to their accounts, and implement robust security measures like strong passwords and 2FA.
While Google has pledged to address the issue, this campaign underscores the need for enhanced monitoring and stricter ad policies to prevent such attacks in the future. Until then, the best defense remains awareness and caution.
How to Protect Your Digital Identity and Login Credentials
Let’s see how you can secure your digital identity and login credentials:
-
Beware of Phishing Scams
- Stay alert of emails or messages that look valid but are designed to steal your personal data.
- Don’t click on suspicious hyperlinks or share vital login credentials without verifying the source.
-
Use Strong Passwords
- Create unique, complex passwords with uppercase, lowercase, numbers, and special characters.
- Never leverage the same password across multiple accounts to minimize risk.
-
Enable Two-Factor Authentication (2FA)
- Add a further layer of security with 2FA, which requires a secondary verification step, like text or email code.
-
Avoid Malicious Websites
- Don’t download files or software from unsafe websites; they may incorporate malware.
- Use equipment like AVP Antivirus Software to block access to dangerous websites automatically.
-
Invest in Cybersecurity Solutions and Educate Yourself
- Choose a comprehensive protection like AVP Total Security, which offers malware removal, phishing protection, and real-time monitoring for online fraud prevention, and stay informed about emerging cyber threats.
-
Update Your Devices Regularly
- Install the latest updates for your operating systems and applications to stay ahead of cybersecurity threats.
Pro Tip: Protect your digital world with AVP Total Security—your ultimate defense against malware, phishing, and cyber threats!
Read More: How IOCONTROL Malware Threatens US: Tips for Malware Safety
How AVP Suite Protects Your Digital Identity and Login Credentials
1. Comprehensive Malware and Ransomware Protection
- AVP Suite offers 360-degree virus protection against malware, ransomware, and phishing attempts to safeguard your sensitive information.
2. Dark Web Monitoring
- Detects and alerts you if your personal information, login credentials, or credit card details are found on the dark web.
3. Credit Card Fraud Prevention
- Provides advanced online fraud protection to prevent unauthorized transactions and ensure identity and credit protection.
4. Anti-Tracking and VPN
- Keeps your online activities private by blocking malicious websites and preventing trackers from collecting your personal data.
5. Password Manager for Login Security
- Stores and encrypts all your passwords securely, helping you easily manage complex passwords for improved data privacy.
6. Phishing and Online Data Security
- Detects phishing attacks and blocks malicious links to prevent data breaches and protect your login credentials.
7. Real-Time Cybersecurity Defense
- Monitors cybersecurity threats and data security threats, providing proactive protection against evolving online risks.
8. Fraud Protection for Peace of Mind
- Offers identity theft and credit fraud monitoring to shield your personal identity and financial assets from cybercriminals.
So, elevate your digital security with AVP Total Security—the ultimate solution for malware removal, data protection, and online safety.
Stay safe, stay private!
AVP Suite shields your credentials 24/7 & ensures unmatched security
Try AVP Suite for Free!
