Google Ads Attacked by Malvertising Scam: Secure Login Credentials

AVP SUITE

January 17,2025

7 mins


Cybersecurity researchers have raised alarms about a cunning new malvertising campaign targeting individuals and businesses using Google Ads. The attack aims to steal advertiser credentials through fraudulent ads and phishing pages, putting accounts and budgets at risk.

Let’s know more about it. 

 

Table of Contents! 

Phishing for Google Ads Credentials

How the Campaign Works

Who’s Behind the Attack?

Google Responds to the Threat

A Broader Cyber Threat Landscape

How to Stay Vigilant

How to Protect Your Digital Identity and Login Credentials

How AVP Suite Protects Your Digital Identity and Login Credentials

 

Phishing for Google Ads Credentials

According to Jérôme Segura, senior director of threat intelligence at Malwarebytes, the campaign’s goal is clear: “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.” These stolen credentials are likely being used to launch further malicious campaigns and sold to other cybercriminals on underground forums.

Reports on platforms like Reddit, Bluesky, and Google’s support forums indicate the campaign has been active since at least mid-November 2024.

The attack is similar to earlier campaigns involving stealer malware, which targeted Facebook business accounts for malvertising. However, this campaign explicitly exploits users who are searching for Google Ads on Google’s search engine. 

The pages redirect to phishing sites, which aim to steal credentials and two-factor authentication (2FA) codes by transmitting the data to remote servers controlled by the attackers through WebSocket technology.

How the Campaign Works

An exceptionally crafty factor of this campaign is using Google Ads policies to its advantage. Google does not require the final URL for an ad to match the one the user sees, so long as the domains are aligned. This means the attackers could host these phishing pages on Google’s domain, sites.google.com, while showing a legitimate display URL like ads.google.com.

The attackers enhance their phishing infrastructure using advanced techniques such as:

  • Fingerprinting to identify specific user devices.
  • Anti-bot traffic detection to evade automated scans.
  • Cloaking and obfuscation to conceal their malicious activities.
  • A CAPTCHA-inspired lure to add a layer of credibility.

The attackers steal the credentials and use them to log into Google Ads accounts, adding new administrators and changing the victims’ budgets for their fraudulent ads. This vicious cycle leads to hacked accounts being used to target new ones.

Who’s Behind the Attack?

Segura commented that the campaign involved many threat actors, most of whom were Portuguese speakers likely operating out of Brazil. Supporting this theory, phishing infrastructure supports intermediary domains using the.pt top-level domain, which indicates Portugal.

Disturbingly, this activity doesn’t technically violate Google Ads rules. Segura explained, “Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.” Google has yet to demonstrate definitive action to suspend compromised accounts until their security is restored.

 

Related Read: Starbucks Hit by Ransomware: How and Why: A Detailed Story

Google Responds to the Threat

In response to the alarming revelations, a Google spokesperson issued a statement:
We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.

Google emphasized its ongoing efforts to monitor the ad network, enforce its policies, and penalize advertisers who conceal or misrepresent information. In 2023 alone, Google removed over 3.4 billion ads, restricted 5.7 billion ads, and suspended 5.6 million advertiser accounts. Of these, 206.5 million ads were blocked for violating the Misrepresentation Policy.

A Broader Cyber Threat Landscape

This new revelation follows another report from Trend Micro, which indicates how malicious attackers further spread links to fake installers for pirated software via platforms such as YouTube and SoundCloud.

Trend Micro noted that these malware campaigns often use reputable file-hosting services like Mediafire and Mega.nz to evade detection. “Threat actors often use reputable file hosting services… to conceal the origin of their malware and make detection and removal more difficult,” the company stated. Many malicious files are password-protected or encoded, complicating analysis and enabling the malware to evade early detection.

 

Also Read: FireScam Malware Targets Telegram Android Users: Security Tips

 

How to Stay Vigilant

This latest malvertising campaign shockingly reminds us of the ever-evolving sophistication of cyber threats. Businesses and individuals using Google Ads should remain cautious, check for the legitimacy of any emails or ads associated with their accounts, and apply strong security measures, like strong passwords and 2FA.

Although Google promises to investigate this issue, this campaign shows the need for better monitoring and stricter ad policies to avoid this kind of attack in the future. Until then, the best protection is awareness and caution.

 

Want to Read the Latest Cybersecurity News?

Stay Updated with AVP Daily

Subscribe Now!

 

How to Protect Your Digital Identity and Login Credentials

Let’s see how you can secure your digital identity and login credentials:

  • Beware of Phishing Scams

      • Stay alert of emails or messages that look valid but are designed to steal your personal data.
      • Don’t click on suspicious hyperlinks or share vital login credentials without verifying the source.
  • Use Strong Passwords

      • Create unique, complex passwords with uppercase, lowercase, numbers, and special characters.
      • Never leverage the same password across multiple accounts to minimize risk.
  • Enable Two-Factor Authentication (2FA)

      • 2FA adds a further layer of security, requiring a secondary verification step, such as a text or email code.
  • Avoid Malicious Websites

  • Invest in Cybersecurity Solutions and Educate Yourself

      • Choose complete coverage like AVP Total Security, including malware removal, phishing protection, and real-time monitoring to prevent online fraud and educate yourself about actuating cyber threats.
  • Update Your Devices Regularly

    • Keep your operating systems present and maintain the latest applications to save you from cyber threats.

Pro Tip: Protect your digital world with AVP Total Security—your ultimate defense against malware, phishing, and cyber threats!

Read More: How IOCONTROL Malware Threatens US: Tips for Malware Safety

How AVP Suite Protects Your Digital Identity and Login Credentials

  • Comprehensive Malware and Ransomware Protection

      • AVP Suite has a 360-degree security mechanism in place, concentration is on virus protection blocking malware, ransomware, and phishing infections. They aim to secure your personal information.
  • Dark Web Monitoring

      • Dark Web Monitoring allows you to know if any of your personal details like personal information, login credentials, or credit card number is revealed on the dark web.
  • Credit Card Fraud Prevention

      • Credit Card Fraud Prevention defends your credit cards and financial status through ice-like procedures to spot fraud for wanted transactions and keep your identity and credit history safe.
  • Anti-Tracking and VPN

      • Anti-Tracking and VPN generally strives to increase your online privacy by blocking any malicious from loading and, when it comes to the popular use of online digital data mining by your activity. 
  • Password Manager for Login Security

      • Password Manager, Key to Log-In Security system, can be used to store your passwords in one safe location while being encrypted. It’s designed with an entire and intense concern for your privacy.
  • Phishing and Online Data Security

      • Certainly it works rigorously to spot and eliminate suspicious links that can save you from phishing attacks. It maintains your login credentials.
  • Real-Time Cybersecurity Defense

      • It identifies emerging data security threats and works to ensure cybersecurity defense against online threats.
  • Fraud Protection for Peace of Mind

    • Fraud Protection protects your identity and financial assets from cyber threats, ensuring peace of mind. 

So, elevate your digital security with AVP Total Security—the ultimate solution for malware removal, data protection, and online safety. 

Stay safe, stay private!

Cybersecurity researchers have raised alarms about a cunning new malvertising campaign targeting individuals and businesses using Google Ads. The attack aims to steal advertiser credentials through fraudulent ads and phishing pages, putting accounts and budgets at risk.

Let’s know more about it.

Phishing for Google Ads Credentials

According to Jérôme Segura, senior director of threat intelligence at Malwarebytes, the campaign’s goal is clear: “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.” These stolen credentials are likely being used to launch further malicious campaigns and sold to other cybercriminals on underground forums.

Reports on platforms like Reddit, Bluesky, and Google’s support forums indicate the campaign has been active since at least mid-November 2024.

The attack is similar to earlier campaigns involving stealer malware, which targeted Facebook business accounts for malvertising. However, this campaign explicitly exploits users who are searching for Google Ads on Google’s search engine. 

The pages redirect to phishing sites, which aim to steal credentials and two-factor authentication (2FA) codes by transmitting the data to remote servers controlled by the attackers through WebSocket technology.

How the Campaign Works

An exceptionally crafty factor of this campaign is using Google Ads policies to its advantage. Google does not require the final URL for an ad to match the one the user sees, so long as the domains are aligned. This means the attackers could host these phishing pages on Google’s domain, sites.google.com, while showing a legitimate display URL like ads.google.com.

The attackers enhance their phishing infrastructure using advanced techniques such as:

  • Fingerprinting to identify specific user devices.
  • Anti-bot traffic detection to evade automated scans.
  • Cloaking and obfuscation to conceal their malicious activities.
  • A CAPTCHA-inspired lure to add a layer of credibility.

The attackers steal the credentials and use them to log into Google Ads accounts, adding new administrators and changing the victims’ budgets for their fraudulent ads. This vicious cycle leads to hacked accounts being used to target new ones.

Who’s Behind the Attack?

Segura commented that the campaign involved many threat actors, most of whom were Portuguese speakers likely operating out of Brazil. Supporting this theory, phishing infrastructure supports intermediary domains using the.pt top-level domain, which indicates Portugal.

Disturbingly, this activity doesn’t technically violate Google Ads rules. Segura explained, “Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.” Google has yet to demonstrate definitive action to suspend compromised accounts until their security is restored.

Related Read: Starbucks Hit by Ransomware: How and Why: A Detailed Story

Google Responds to the Threat

In response to the alarming revelations, a Google spokesperson issued a statement:
We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.

Google emphasized its ongoing efforts to monitor the ad network, enforce its policies, and penalize advertisers who conceal or misrepresent information. In 2023 alone, Google removed over 3.4 billion ads, restricted 5.7 billion ads, and suspended 5.6 million advertiser accounts. Of these, 206.5 million ads were blocked for violating the Misrepresentation Policy.

A Broader Cyber Threat Landscape

This new revelation follows another report from Trend Micro, which indicates how malicious attackers further spread links to fake installers for pirated software via platforms such as YouTube and SoundCloud.

Trend Micro noted that these malware campaigns often use reputable file-hosting services like Mediafire and Mega.nz to evade detection. “Threat actors often use reputable file hosting services… to conceal the origin of their malware and make detection and removal more difficult,” the company stated. Many malicious files are password-protected or encoded, complicating analysis and enabling the malware to evade early detection.

Also Read: FireScam Malware Targets Telegram Android Users: Security Tips

How to Stay Vigilant

This latest malvertising campaign shockingly reminds us of the ever-evolving sophistication of cyber threats. Businesses and individuals using Google Ads should remain cautious, check for the legitimacy of any emails or ads associated with their accounts, and apply strong security measures, like strong passwords and 2FA.

Although Google promises to investigate this issue, this campaign shows the need for better monitoring and stricter ad policies to avoid this kind of attack in the future. Until then, the best protection is awareness and caution.

Want to Read the Latest Cybersecurity News?

Stay Updated with AVP Daily

Subscribe Now! Cta_banner_image

How to Protect Your Digital Identity and Login Credentials

Let’s see how you can secure your digital identity and login credentials:

  • Beware of Phishing Scams

  • Stay alert of emails or messages that look valid but are designed to steal your personal data.
  • Don’t click on suspicious hyperlinks or share vital login credentials without verifying the source.
  • Use Strong Passwords

  • Create unique, complex passwords with uppercase, lowercase, numbers, and special characters.
  • Never leverage the same password across multiple accounts to minimize risk.
  • Enable Two-Factor Authentication (2FA)

  • 2FA adds a further layer of security, requiring a secondary verification step, such as a text or email code.
  • Avoid Malicious Websites

  • Never download or get files or software from unsafe websites, as they might have malware. 
  • Use resources such as AVP Antivirus Software that blocks dangerous websites by default. 
  • Invest in Cybersecurity Solutions and Educate Yourself

  • Choose complete coverage like AVP Total Security, including malware removal, phishing protection, and real-time monitoring to prevent online fraud and educate yourself about actuating cyber threats.
  • Update Your Devices Regularly

  • Keep your operating systems present and maintain the latest applications to save you from cyber threats.

Pro Tip: Protect your digital world with AVP Total Security—your ultimate defense against malware, phishing, and cyber threats!

Read More: How IOCONTROL Malware Threatens US: Tips for Malware Safety

How AVP Suite Protects Your Digital Identity and Login Credentials

1. Comprehensive Malware and Ransomware Protection

  • AVP Suite has a 360-degree security mechanism in place, concentration is on virus protection blocking malware, ransomware, and phishing infections. They aim to secure your personal information.

2. Dark Web Monitoring

  • Dark Web Monitoring allows you to know if any of your personal details like personal information, login credentials, or credit card number is revealed on the dark web.

3. Credit Card Fraud Prevention

Credit Card Fraud Prevention defends your credit cards and financial status through ice-like procedures to spot fraud for wanted transactions and keep your identity and credit history safe.

4. Anti-Tracking and VPN

  • Anti-Tracking and VPN generally strives to increase your online privacy by blocking any malicious from loading and, when it comes to the popular use of online digital data mining by your activity. 

5. Password Manager for Login Security

  • Password Manager, Key to Log-In Security system, can be used to store your passwords in one safe location while being encrypted. It’s designed with an entire and intense concern for your privacy.

6. Phishing and Online Data Security

  • Certainly it works rigorously to spot and eliminate suspicious links that can save you from phishing attacks. It maintains your login credentials.

7. Real-Time Cybersecurity Defense

  • It identifies emerging data security threats and works to ensure cybersecurity defense against online threats.

8. Fraud Protection for Peace of Mind

  • Fraud Protection protects your identity and financial assets from cyber threats, ensuring peace of mind. 

So, elevate your digital security with AVP Total Security—the ultimate solution for malware removal, data protection, and online safety. 

Stay safe, stay private!

Worried About Your Login Credentials?

AVP Suite shields your credentials 24/7 & ensures unmatched security

Try AVP Suite for Free!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the cybersecurity trends & news at AVPDaily