Google Ads Heist: Hackers use Google Search Ads to Steal Accounts for Malvertising Scams

Cybercriminals, including those of Portuguese origin operating out of Brazil, Asia-based threat actors using advertiser accounts from Hong Kong, and a threat actor group of Eastern Europeans, are using Google search advertisements to promote phishing sites that steal advertisers’ credentials for the Google Ads platform and utilize it to push out malvertising campaigns. ¹

How are they using Google ads to steal accounts?

Attackers continuously run ads on Google Search impersonating Google Ads and put up sponsored results that redirect potential victims to fake login pages hosted on Google Sites that look identical to the official Google Ads homepage through which they are asked to log into their accounts.¹ The scheme consists of attackers stealing as many advertisers’ accounts via impersonating Google Ads and redirecting victims to fake login pages.^1,2

Image 1 – A malicious ad masquerading as Google Ads itself [4]

Image 2 – Fake advertiser not affiliated with Google [4]

Based on reports, these stolen credentials will be reused to perpetuate the campaigns further, while simultaneously selling this information to other criminal actors on underground forums.¹ By leveraging stealer malware to steal data, similar to Facebook advertising and business accounts, attackers can hijack them and use these same accounts for push-out malvertising campaigns that further propagate the malware by redirecting users to fraudulent sites hosted on Google Sites that already have hundreds of legitimate ads running.^1,2 Using strategic social engineering techniques, these sites then serve as a landing page to lead the visitors to external phishing sites designed to capture their credentials and two-factor authentication codes via a WebSocket. This information is then exfiltrated to a remote server under the attacker’s control. This threat has been active since mid-November of 2024. ^1,2

Image 3 – Attack flow illustrating the high-level mechanism by which advertisers get attacked (Malwarebytes Labs) [1]

Image 4 – Accounts on Fake Google Ads [1]

Attackers further took advantage of the fact that Google Ads does not require the final URL to be identical to the display URL as long as the domains are matched.^1,4 This allowed the threat actors to host their intermediate landing pages on sites.google[.]com while keeping the display URLs as ads.google[.]com. ⁴

Image 5 – Gateway pages hosted by Google Sites via complete impersonation [4]

Image 6 – The same root domain used to mask malicious websites [4]

Once the victims click the ‘Start now’, users are directed to a different site containing the phishing kit. Through this process, JavaScript code fingerprints users to ensure all important information is collected. ⁴

Image 7 – Phishing procedures [4]

All the information gathered is then sent to the remote server via a POST request where the attackers receive all information including the victim’s geolocation, city, and internet service provider. ⁴

Image 8 – POST Web request with all gathered details of the victim [4]

In addition to this, techniques including fingerprinting, anti-bot traffic detection, and even a CAPTCHA-inspired lure were integrated to conceal the phishing infrastructures embedded within. ^1,2

in 2023, Google blocked or removed 206.5 million advertisements for violating its Misrepresentation Policy along with over 3.4 billion ads, restricted over 5.7 billion, and suspended over 5.6 million advertiser accounts.¹ In an interview conducted, a Google spokesperson says “We expressly prohibit ads that aim to deceive people to steal their information or scam their team. Our teams are actively investigating this issue and working quickly to address it.” ^1,2

This marks a new extreme where such tactics lead to coned pages designed to steal login credentials and bypass 2FA codes in the process. ^1,2 Various online reports of people who identified these fake ads shared their experiences: ⁴

• Help with removing a dangerous scam in Google Ads (Google Ads Help forum)
• Google Ads Phishing Scam (Reddit)
• It’s just me or Google just sponsored a link to a phising site for Google ads? (Reddit)
• Be aware of fake google page, clicked by accident (Reddit)
• Warning! First sponsorized google answer for “Google ads” is a phishing attempt ! (BlueSky)

Whether the money is spent towards legitimate ads or malicious ones, Google still earns the revenue leaving the victims at a loss of both money and personal information. ⁴ Despite Google’s policies stating “If we find violations of this policy, we will suspend your Google Ads accounts upon detection and without prior warning, and you will not be allowed to advertise with us again”, Google has yet to demonstrate taking corrective actions to freeze accounts until their security is restored. ^4,6 Recently, an advertiser who had been reported over 30 times remains to be active. See this article for more information on this case – https://www.malwarebytes.com/blog/scams/2024/12/repeat-offenders-drive-bulk-of-tech-support-scams-via-google-ads. ⁴

How do threat actors bypass 2FA?

Of the various ways through which attackers gain access to 2FA codes, three prominent methods that hackers could use within Google Ads are explained below and include:

(1) Social engineering and phishing: Social engineering tactics may occur via email, text phishing, or even voice phishing where the threat actor may pose as a trustworthy or authoritative figure asking for a code sent to your device. This method of phishing can be used to easily gain access to 2FA codes.³

(2) Reset Password Tactics: This common tactic occurs when a threat actor simply asks for a reset password for their target. Given that many websites do not have a second layer of protection or verification for their 2FA password resets, threat actors can directly access the accounts.³

(3) SIM Swap: SIM jacking is one of the popular methods for threat actors to get their hands on 2FA codes where the actor hijacks a SIM card and poses as the owner associated with the SIM Card. ³

What preventative measures can be taken to strengthen MFA?

• Avoid the use of short OTPs and instead opt for longer alphanumeric combinations that are much harder to crack ⁵
• Use biometric authentication as at least one factor of authentication ⁵
• Avoid SMS-based authentication factors where possible ⁵
• Restrict the use of unsanctioned applications, this is where threat actors plant malware to hijack your devices ⁵
• Monitor your attack surface as cybercriminals can exploit external vulnerabilities such as poor network security ⁵

Bibliography

[1] https://thehackernews.com/2025/01/google-ads-users-targeted-in.html

[2] https://www.bleepingcomputer.com/news/security/hackers-use-google-search-ads-to-steal-google-ads-accounts

[3] https://www.mitnicksecurity.com/blog/bypass-2fa

[4] https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads

[5] https://www.upguard.com/blog/how-hackers-can-bypass-mfa

[6] https://support.google.com/adspolicy/answer/6020955