Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes
Summary:
A new malvertising campaign is underway targeting individuals and businesses that use Google Ads for advertising. According to researchers at Malwarebytes, the scheme involves impersonating Google Ads to direct victims to fake login pages in an effort to capture as many advertiser accounts as possible. These accounts can be either sold on cybercriminal forums or used to perpetuate further attacks.
This new campaign closely resembles tactics used in malware-driven attacks that target Facebook advertising and business accounts to hijack them for malicious purposes, including distributing further malware through push-out ads. In this case, actors are specifically targeting users who search for Google Ads on Google’s search engine, presenting fake Google Ads that redirect to fraudulent sites hosted on Google Sites. These sites then serve as landing pages, directing users to external phishing sites designed to steal login credentials and two-factor authentication (2FA) codes via a WebSocket, which are then exfiltrated to a remote server controlled by the attackers.
Security Officer Comments:
A notable aspect of this campaign is that it takes advantage of fact that Google Ads allows the display URL and the final URL to differ, as long as the domains match. This enables attackers to host intermediate landing pages on sites.google[.]com while displaying ads with URLs like ads.google[.]com. Actors are also employing various techniques such as fingerprinting, anti-bot measures, CAPTCHA-like lures, cloaking, and obfuscation to hide their phishing infrastructure. Once credentials are stolen, the attackers can then use them to access the victim's Google Ads account, add a new administrator, and further misuse the account’s budget to launch fraudulent ads. Essentially, actors are able to hijack Google Ads accounts to run their own ads, expanding the pool of compromised accounts to fuel the scam even further.
Suggested Corrections:
Individuals and businesses should enable 2FA for Google Ads accounts and regularly monitor account activity for unusual behavior. Additionally, users should be cautious of suspicious ads and avoid clicking on any links that redirect to unfamiliar or seemingly unusual domains. Malwarebytes has provided a list fake google sites pages as well as phishing domains observed in the latest campaign which can be accessed below:
https://www.malwarebytes.com/blog/n...nsack-advertiser-accounts-via-fake-google-ads
Link(s):
https://thehackernews.com/2025/01/google-ads-users-targeted-in.html
A new malvertising campaign is underway targeting individuals and businesses that use Google Ads for advertising. According to researchers at Malwarebytes, the scheme involves impersonating Google Ads to direct victims to fake login pages in an effort to capture as many advertiser accounts as possible. These accounts can be either sold on cybercriminal forums or used to perpetuate further attacks.
This new campaign closely resembles tactics used in malware-driven attacks that target Facebook advertising and business accounts to hijack them for malicious purposes, including distributing further malware through push-out ads. In this case, actors are specifically targeting users who search for Google Ads on Google’s search engine, presenting fake Google Ads that redirect to fraudulent sites hosted on Google Sites. These sites then serve as landing pages, directing users to external phishing sites designed to steal login credentials and two-factor authentication (2FA) codes via a WebSocket, which are then exfiltrated to a remote server controlled by the attackers.
Security Officer Comments:
A notable aspect of this campaign is that it takes advantage of fact that Google Ads allows the display URL and the final URL to differ, as long as the domains match. This enables attackers to host intermediate landing pages on sites.google[.]com while displaying ads with URLs like ads.google[.]com. Actors are also employing various techniques such as fingerprinting, anti-bot measures, CAPTCHA-like lures, cloaking, and obfuscation to hide their phishing infrastructure. Once credentials are stolen, the attackers can then use them to access the victim's Google Ads account, add a new administrator, and further misuse the account’s budget to launch fraudulent ads. Essentially, actors are able to hijack Google Ads accounts to run their own ads, expanding the pool of compromised accounts to fuel the scam even further.
Suggested Corrections:
Individuals and businesses should enable 2FA for Google Ads accounts and regularly monitor account activity for unusual behavior. Additionally, users should be cautious of suspicious ads and avoid clicking on any links that redirect to unfamiliar or seemingly unusual domains. Malwarebytes has provided a list fake google sites pages as well as phishing domains observed in the latest campaign which can be accessed below:
https://www.malwarebytes.com/blog/n...nsack-advertiser-accounts-via-fake-google-ads
Link(s):
https://thehackernews.com/2025/01/google-ads-users-targeted-in.html