Cybersecurity researchers have alerted to a new malvertising campaign that’s targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google.
“The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages,” Jérôme Segura, senior director of threat intelligence at Malwarebytes, said in a report shared with The Hacker News.
It’s suspected the end goal of the campaign is to reuse the stolen credentials to further perpetuate the campaigns, while also selling them to other criminal actors on underground forums. Based on posts shared on Reddit, Bluesky, and Google’s own support forums, the threat has been active since at least mid-November 2024.
The activity cluster is a lot similar to campaigns that leverage stealer malware to steal data related to Facebook advertising and business accounts in order to hijack them and use the accounts for push-out malvertising campaigns that further propagate the malware.
The newly identified campaign specifically singles out users who search for Google Ads on Google’s own search engine to serve bogus ads for Google Ads that, when clicked, redirect users to fraudulent sites hosted on Google Sites.
These sites then serve as landing pages to lead the visitors to external phishing sites that are designed to capture their credentials and two-factor authentication (2FA) codes via a WebSocket and exfiltrated to a remote server under the attacker’s control.
“The fake ads for Google Ads come from a variety of individuals and businesses (including a regional airport), in various locations,” Segura said. “Some of those accounts already had hundreds of other legitimate ads running.”
An ingenious aspect of the campaign is that it takes advantage of the fact that Google Ads does not require the final URL – the web page that users reach when they click on the ad – to be the same as the display URL, as long as the domains match.
This allows the threat actors to host their intermediate landing pages on sites.google[.]com while keeping the display URLs as ads.google[.]com. What’s more, the modus operandi entails the use of techniques like fingerprinting, anti-bot traffic detection, a CAPTCHA-inspired lure, cloaking, and obfuscation to conceal the phishing infrastructure.
Malwarebytes said the harvested credentials are subsequently abused to sign in to the victim’s Google Ads account, add a new administrator, and utilize their spending budgets for fake Google ads.
In other words, the threat actors are taking over Google Ads accounts to push their own ads in order to add new victims to a growing pool of hacked accounts that are used to perpetuate the scam further.
“There appears to be several individuals or groups behind these campaigns,” Segura said. “Notably, the majority of them are Portuguese speakers and likely operating out of Brazil. The phishing infrastructure relies on intermediary domains with the .pt top-level domain (TLD), indicative of Portugal.”
“This malicious ad activity does not violate Google’s ad rules. Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored.”
The disclosure comes as Trend Micro revealed that attackers are using platforms such as YouTube and SoundCloud to distribute links to fake installers for pirated versions of popular software that ultimately lead to the deployment of various malware families such as Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer.
“Threat actors often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware and make detection and removal more difficult,” the company said. “Many malicious downloads are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection.”