It turns out that cybercriminals are now taking advantage of Google’s own search ads to promote phishing sites that steal Google Ads account credentials. Talk about a twist, right?
How it works
Attackers are running fake ads on Google Search that mimic their Ads. These ads show up as sponsored results, and if you click on them, they’ll redirect you to a phishing page. The page might look like the real Google Ads homepage, but it’s a fake login page hosted on Google Sites. It’s a clever way to trick people into entering their Google account information.
Once a victim enters their login info on the fake page, the attackers collect all kinds of data—cookies, credentials, and unique identifiers. From there, they might send the victim an alert about a suspicious login attempt (from a random country, like Brazil). If the victim doesn’t catch on and block the attacker, the criminals add a new admin to the Ads account, usually with a separate Gmail address. After that, the attacker can go on a spending spree, running up ad costs and possibly locking the victim out of their own account.
Why Google Ads?
Well, it’s because Google Sites allows attackers to create URLs (like sites.google.com) that look very similar to Google’s real domain (ads.google.com). This makes it nearly impossible to spot the scam, as it appears like a legitimate Google page.
Jérôme Segura, Senior Director of Research at Malwarebytes, points out that wile Google has rules to prevent URL mismatches in ads, attackers have found a loophole. Since the sites.google.com domain shares the same root as ads.google.com, the malicious ad technically doesn’t break any rules and can slip under the radar.
According to Malwarebytes, at least three cybercrime groups are behind this operation, including groups from Brazil, Hong Kong (or China), and Eastern Europe. Their end goal? To sell the stolen Ads accounts on hacking forums or use them in future phishing attacks.
This type of attack is incredibly dangerous because it targets the heart of Google’s business and can affect thousands of businesses worldwide. Malwarebytes has been tracking the campaign and reports that new incidents are still cropping up daily.
The Takeaway
Ironically, businesses and individuals running Google Ads campaigns might be more vulnerable to these scams because they often don’t use ad blockers, making it easier for the fake ads to slip through.
Google is aware of the issue and told BleepingComputer that they are actively investigating and working to address it. In fact, throughout 2023, Google blocked or removed over 200 million ads that violated its policies, including a massive number of ads promoting scams and phishing attempts.
So, if you’re running ads on Google, stay alert! It’s a reminder that even the most trusted platforms can be exploited by cybercriminals.
We hope you’ve liked this blog and that you’ll stick around to see our future releases. We cover everything from recent IT News to Knowledgebase articles. Thanks for reading!
