Cybersecurity researchers have uncovered a new malvertising campaign targeting Google Ads users. The threat actor behind this campaign creates fraudulent ads that impersonate Google Ads, which when clicked, redirect victims to fake login pages. These phishing sites are designed to capture user credentials and two-factor authentication (2FA) codes, which are then exfiltrated to an attacker-controlled server. The campaign has been active since at least mid-November 2024, and researchers believe the ultimate goal is to hijack Google Ads accounts, enabling the attackers to run their own ads and sell stolen credentials on underground forums.
The threat actors exploit a vulnerability in Google Ads’ policy
The threat actors exploit a vulnerability in Google Ads’ policy, which does not require the final URL of an ad to match the displayed URL, as long as the domain is similar. This allows attackers to host intermediate landing pages on Google Sites while displaying legitimate URLs like ads.google.com in the ads. To conceal their malicious infrastructure, the attackers use techniques like fingerprinting, anti-bot traffic detection, CAPTCHA-inspired lures, cloaking, and obfuscation. These tactics ensure that their phishing sites evade detection and successfully steal sensitive information from unsuspecting victims.
Once the threat actor obtains the victim’s Google Ads account credentials, they sign in and add themselves as new administrators to the account. From there, they can use the compromised account’s spending budget to push their own fraudulent ads, further contributing to the scam. This cycle continues as more victims fall prey to these hijacked accounts. Malwarebytes researchers have indicated that this campaign is most likely carried out by a group of Portuguese-speaking individuals, with links to Brazil, and that the phishing infrastructure relies heavily on the use of the .pt domain.
Google has acknowledged the issue and stated that it is actively investigating the malicious ads campaign. While Google prohibits deceptive ads intended to steal information, its ad policies allow the use of fraudulent URLs in some cases, making it difficult to distinguish legitimate ads from fake ones. In response, Google has taken action by removing billions of fraudulent ads, suspending millions of accounts, and continuing to monitor its ad network for abuse. However, the lack of effective immediate action leaves users vulnerable to further attacks.
