January 17,2025
7 mins
Cybersecurity researchers have raised alarms about a cunning new malvertising campaign targeting individuals and businesses using Google Ads. The attack aims to steal advertiser credentials through fraudulent ads and phishing pages, putting accounts and budgets at risk.
Let’s know more about it.
Table of Contents! Phishing for Google Ads Credentials How the Campaign Works Who’s Behind the Attack? Google Responds to the Threat A Broader Cyber Threat Landscape How to Stay Vigilant How to Protect Your Digital Identity and Login Credentials How AVP Suite Protects Your Digital Identity and Login Credentials |
According to Jérôme Segura, senior director of threat intelligence at Malwarebytes, the campaign’s goal is clear: “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.” These stolen credentials are likely being used to launch further malicious campaigns and sold to other cybercriminals on underground forums.
Reports on platforms like Reddit, Bluesky, and Google’s support forums indicate the campaign has been active since at least mid-November 2024.
The attack is similar to earlier campaigns involving stealer malware, which targeted Facebook business accounts for malvertising. However, this campaign explicitly exploits users who are searching for Google Ads on Google’s search engine.
The pages redirect to phishing sites, which aim to steal credentials and two-factor authentication (2FA) codes by transmitting the data to remote servers controlled by the attackers through WebSocket technology.
An exceptionally crafty factor of this campaign is using Google Ads policies to its advantage. Google does not require the final URL for an ad to match the one the user sees, so long as the domains are aligned. This means the attackers could host these phishing pages on Google’s domain, sites.google.com, while showing a legitimate display URL like ads.google.com.
The attackers enhance their phishing infrastructure using advanced techniques such as:
The attackers steal the credentials and use them to log into Google Ads accounts, adding new administrators and changing the victims’ budgets for their fraudulent ads. This vicious cycle leads to hacked accounts being used to target new ones.
Segura commented that the campaign involved many threat actors, most of whom were Portuguese speakers likely operating out of Brazil. Supporting this theory, phishing infrastructure supports intermediary domains using the.pt top-level domain, which indicates Portugal.
Disturbingly, this activity doesn’t technically violate Google Ads rules. Segura explained, “Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.” Google has yet to demonstrate definitive action to suspend compromised accounts until their security is restored.
Related Read: Starbucks Hit by Ransomware: How and Why: A Detailed Story
In response to the alarming revelations, a Google spokesperson issued a statement:
“We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.“
Google emphasized its ongoing efforts to monitor the ad network, enforce its policies, and penalize advertisers who conceal or misrepresent information. In 2023 alone, Google removed over 3.4 billion ads, restricted 5.7 billion ads, and suspended 5.6 million advertiser accounts. Of these, 206.5 million ads were blocked for violating the Misrepresentation Policy.
This new revelation follows another report from Trend Micro, which indicates how malicious attackers further spread links to fake installers for pirated software via platforms such as YouTube and SoundCloud.
Trend Micro noted that these malware campaigns often use reputable file-hosting services like Mediafire and Mega.nz to evade detection. “Threat actors often use reputable file hosting services… to conceal the origin of their malware and make detection and removal more difficult,” the company stated. Many malicious files are password-protected or encoded, complicating analysis and enabling the malware to evade early detection.
Also Read: FireScam Malware Targets Telegram Android Users: Security Tips
This latest malvertising campaign shockingly reminds us of the ever-evolving sophistication of cyber threats. Businesses and individuals using Google Ads should remain cautious, check for the legitimacy of any emails or ads associated with their accounts, and apply strong security measures, like strong passwords and 2FA.
Although Google promises to investigate this issue, this campaign shows the need for better monitoring and stricter ad policies to avoid this kind of attack in the future. Until then, the best protection is awareness and caution.
Want to Read the Latest Cybersecurity News? Stay Updated with AVP Daily |
Let’s see how you can secure your digital identity and login credentials:
Pro Tip: Protect your digital world with AVP Total Security—your ultimate defense against malware, phishing, and cyber threats!
Read More: How IOCONTROL Malware Threatens US: Tips for Malware Safety
So, elevate your digital security with AVP Total Security—the ultimate solution for malware removal, data protection, and online safety.
Stay safe, stay private!
Cybersecurity researchers have raised alarms about a cunning new malvertising campaign targeting individuals and businesses using Google Ads. The attack aims to steal advertiser credentials through fraudulent ads and phishing pages, putting accounts and budgets at risk.
Let’s know more about it.
According to Jérôme Segura, senior director of threat intelligence at Malwarebytes, the campaign’s goal is clear: “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages.” These stolen credentials are likely being used to launch further malicious campaigns and sold to other cybercriminals on underground forums.
Reports on platforms like Reddit, Bluesky, and Google’s support forums indicate the campaign has been active since at least mid-November 2024.
The attack is similar to earlier campaigns involving stealer malware, which targeted Facebook business accounts for malvertising. However, this campaign explicitly exploits users who are searching for Google Ads on Google’s search engine.
The pages redirect to phishing sites, which aim to steal credentials and two-factor authentication (2FA) codes by transmitting the data to remote servers controlled by the attackers through WebSocket technology.
An exceptionally crafty factor of this campaign is using Google Ads policies to its advantage. Google does not require the final URL for an ad to match the one the user sees, so long as the domains are aligned. This means the attackers could host these phishing pages on Google’s domain, sites.google.com, while showing a legitimate display URL like ads.google.com.
The attackers enhance their phishing infrastructure using advanced techniques such as:
The attackers steal the credentials and use them to log into Google Ads accounts, adding new administrators and changing the victims’ budgets for their fraudulent ads. This vicious cycle leads to hacked accounts being used to target new ones.
Segura commented that the campaign involved many threat actors, most of whom were Portuguese speakers likely operating out of Brazil. Supporting this theory, phishing infrastructure supports intermediary domains using the.pt top-level domain, which indicates Portugal.
Disturbingly, this activity doesn’t technically violate Google Ads rules. Segura explained, “Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.” Google has yet to demonstrate definitive action to suspend compromised accounts until their security is restored.
Related Read: Starbucks Hit by Ransomware: How and Why: A Detailed Story
In response to the alarming revelations, a Google spokesperson issued a statement:
“We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.“
Google emphasized its ongoing efforts to monitor the ad network, enforce its policies, and penalize advertisers who conceal or misrepresent information. In 2023 alone, Google removed over 3.4 billion ads, restricted 5.7 billion ads, and suspended 5.6 million advertiser accounts. Of these, 206.5 million ads were blocked for violating the Misrepresentation Policy.
This new revelation follows another report from Trend Micro, which indicates how malicious attackers further spread links to fake installers for pirated software via platforms such as YouTube and SoundCloud.
Trend Micro noted that these malware campaigns often use reputable file-hosting services like Mediafire and Mega.nz to evade detection. “Threat actors often use reputable file hosting services… to conceal the origin of their malware and make detection and removal more difficult,” the company stated. Many malicious files are password-protected or encoded, complicating analysis and enabling the malware to evade early detection.
Also Read: FireScam Malware Targets Telegram Android Users: Security Tips
This latest malvertising campaign shockingly reminds us of the ever-evolving sophistication of cyber threats. Businesses and individuals using Google Ads should remain cautious, check for the legitimacy of any emails or ads associated with their accounts, and apply strong security measures, like strong passwords and 2FA.
Although Google promises to investigate this issue, this campaign shows the need for better monitoring and stricter ad policies to avoid this kind of attack in the future. Until then, the best protection is awareness and caution.
Let’s see how you can secure your digital identity and login credentials:
Pro Tip: Protect your digital world with AVP Total Security—your ultimate defense against malware, phishing, and cyber threats!
Read More: How IOCONTROL Malware Threatens US: Tips for Malware Safety
Credit Card Fraud Prevention defends your credit cards and financial status through ice-like procedures to spot fraud for wanted transactions and keep your identity and credit history safe.
So, elevate your digital security with AVP Total Security—the ultimate solution for malware removal, data protection, and online safety.
Stay safe, stay private!
AVP Suite shields your credentials 24/7 & ensures unmatched security
Try AVP Suite for Free!