{"id":1456,"date":"2025-01-19T16:42:38","date_gmt":"2025-01-19T23:42:38","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=1456"},"modified":"2025-01-19T16:42:42","modified_gmt":"2025-01-19T23:42:42","slug":"google-ads-heist-hackers-use-google-search-ads-to-steal-accounts-for-malvertising-scams","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2025\/01\/19\/google-ads-heist-hackers-use-google-search-ads-to-steal-accounts-for-malvertising-scams\/","title":{"rendered":"Google Ads Heist: Hackers use Google Search Ads to Steal Accounts for Malvertising Scams"},"content":{"rendered":"\n

Cybercriminals, including those of Portuguese origin operating out of Brazil, Asia-based threat actors using advertiser accounts from Hong Kong, and a threat actor group of Eastern Europeans, are using Google search advertisements to promote phishing sites that steal advertisers’ credentials for the Google Ads platform and utilize it to push out malvertising campaigns. 1<\/sup><\/p>\n\n\n\n

How are they using Google ads to steal accounts?<\/h4>\n\n\n\n

Attackers continuously run ads on Google Search impersonating Google Ads and put up sponsored results that redirect potential victims to fake login pages hosted on Google Sites that look identical to the official Google Ads homepage through which they are asked to log into their accounts.1<\/sup> The scheme consists of attackers stealing as many advertisers’ accounts via impersonating Google Ads and redirecting victims to fake login pages.1,2<\/sup><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 1 – A malicious ad masquerading as Google Ads itself [4]<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 2 – Fake advertiser not affiliated with Google [4]<\/em><\/p>\n\n\n\n

Based on reports, these stolen credentials will be reused to perpetuate the campaigns further, while simultaneously selling this information to other criminal actors on underground forums.1<\/sup> By leveraging stealer malware to steal data, similar to Facebook advertising and business accounts, attackers can hijack them and use these same accounts for push-out malvertising campaigns that further propagate the malware by redirecting users to fraudulent sites hosted on Google Sites that already have hundreds of legitimate ads running.1,2<\/sup> Using strategic social engineering techniques, these sites then serve as a landing page to lead the visitors to external phishing sites designed to capture their credentials and two-factor authentication codes via a WebSocket. This information is then exfiltrated to a remote server under the attacker’s control. This threat has been active since mid-November of 2024. 1,2<\/sup><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 3 – Attack flow illustrating the high-level mechanism by which advertisers get attacked (Malwarebytes Labs) [1]<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 4 – Accounts on Fake Google Ads [1]<\/em><\/p>\n\n\n\n

Attackers further took advantage of the fact that Google Ads does not require the final URL to be identical to the display URL as long as the domains are matched.1,4<\/sup> This allowed the threat actors to host their intermediate landing pages on sites.google[.]com while keeping the display URLs as ads.google[.]com. 4<\/sup><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 5 – Gateway pages hosted by Google Sites via complete impersonation [4]<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 6 – The same root domain used to mask malicious websites [4]<\/em><\/p>\n\n\n\n

Once the victims click the ‘Start now’, users are directed to a different site containing the phishing kit. Through this process, JavaScript code fingerprints users to ensure all important information is collected. 4 <\/sup><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 7 – Phishing procedures <\/em>[4]<\/p>\n\n\n\n

All the information gathered is then sent to the remote server via a POST request where the attackers receive all information including the victim’s geolocation, city, and internet service provider. 4<\/sup><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Image 8 – POST Web request with all gathered details of the victim [4]<\/em><\/p>\n\n\n\n

In addition to this, techniques including fingerprinting, anti-bot traffic detection, and even a CAPTCHA-inspired lure were integrated to conceal the phishing infrastructures embedded within. 1,2<\/sup><\/p>\n\n\n\n

in 2023, Google blocked or removed 206.5 million advertisements for violating its Misrepresentation Policy along with over 3.4 billion ads, restricted over 5.7 billion, and suspended over 5.6 million advertiser accounts.1<\/sup> In an interview conducted, a Google spokesperson says “We expressly prohibit ads that aim to deceive people to steal their information or scam their team. Our teams are actively investigating this issue and working quickly to address it.” 1,2<\/sup><\/p>\n\n\n\n

This marks a new extreme where such tactics lead to coned pages designed to steal login credentials and bypass 2FA codes in the process. 1,2<\/sup> Various online reports of people who identified these fake ads shared their experiences: 4<\/sup><\/p>\n\n\n\n