Malvertising scams are on the rise, with cybercriminals using fake ads to steal login credentials. A recent report uncovered a campaign targeting Microsoft advertisers through fraudulent Google ads. These deceptive ads lead users to phishing sites designed to harvest sensitive information.
According to the report, attackers aim to trick users searching for “Microsoft Ads” on Google Search. The fake ads appear as sponsored results, directing victims to phishing pages that mimic Microsoft’s advertising platform.
How the Attack Works
The fraudulent pages look almost identical to the real Microsoft Ads login portal. Users enter their credentials, including two-factor authentication (2FA) codes, unknowingly handing them over to attackers. This allows criminals to take control of their accounts.
To avoid detection, hackers use advanced evasion techniques. For example, they redirect VPN traffic to a fake marketing website. They also use Cloudflare challenges to block bots and security tools. Strangely, users who try to access the fake site directly are rickrolled—redirected to a YouTube meme video.
Ongoing Phishing Campaigns
Researchers discovered that Microsoft accounts have been targeted for years. Additionally, there is evidence that similar tactics have been used against other advertising platforms like Meta. Many phishing sites in this campaign are hosted in Brazil, similar to previous scams focused on Google Ads users.
Meanwhile, a separate phishing operation is exploiting SMS scams. Attackers pose as the United States Postal Service (USPS) and send fake delivery failure notifications. Victims are asked to update their details by clicking a malicious PDF link, leading to a phishing page that steals personal and payment card information.
How to Stay Safe
To avoid falling victim to malvertising scams, users should be cautious when clicking on sponsored ads. Always double-check URLs before entering credentials. Additionally, enabling multi-factor authentication (MFA) can add extra protection against account takeovers. Organizations should also train employees to recognize phishing attempts and use security tools to detect suspicious activity.
