Google Ads Users Hit by Malvertising Phishing Scam

Google Ads users are the target of a sophisticated malvertising scam designed to steal credentials and bypass two-factor authentication (2FA). Cybersecurity researchers report that attackers are using fraudulent ads to redirect victims to phishing sites. These fake ads impersonate legitimate Google Ads, tricking users into sharing sensitive account details.

The goal of the campaign is to hijack advertiser accounts and exploit them for further fraudulent ad campaigns. Some stolen accounts are also sold on underground forums. Reports suggest this malicious activity has been ongoing since at least November 2024, with attackers leveraging various deceptive techniques.

For example, users searching for “Google Ads” on Google may encounter bogus ads that lead to phishing sites. These sites capture login details and 2FA codes through advanced methods like WebSockets. The stolen credentials are then used to infiltrate victim accounts, add new administrators, and push fake ads funded by the victims’ budgets.

An unusual aspect of the scam is the attackers’ use of Google Sites to host landing pages while maintaining legitimate-looking display URLs. The campaign employs sophisticated tools like CAPTCHA-inspired lures, fingerprinting, and anti-bot detection to conceal its operations.

Evidence points to multiple groups, possibly Portuguese-speaking individuals operating from Brazil. Many phishing domains in these scams use the “.pt” top-level domain, suggesting connections to Portugal.

Although Google prohibits deceptive ads, the company has faced criticism for not acting swiftly to suspend compromised accounts. While Google claims it removed over 3.4 billion ads and blocked millions of accounts in 2023, this campaign shows gaps in enforcement.

Attackers are also using other platforms, like YouTube and SoundCloud, to distribute malware via links to pirated software. These malware types include credential stealers like Amadey, Lumma Stealer, and Mars Stealer.

Preventive Measures

To avoid falling victim, users should verify the authenticity of ads before clicking. Always access Google Ads through official links. Implementing robust security practices, like enabling advanced phishing protection and monitoring account activity, can help. Educating employees about phishing tactics is equally crucial in preventing such scams.