Criminals Exploit Advertiser Accounts Through Fake Google Ads

Summary

Researchers have recently discovered that cybercriminals are targeting individuals and businesses using Google Ads by phishing for their credentials through fraudulent ads. The scheme involves impersonating Google Ads, redirecting victims to fake login pages, and stealing advertiser accounts. The stolen accounts are likely resold on blackhat forums, while the attackers retain some to continue these campaigns.

Technical Detail

Advertisers constantly compete to outbid each other for ad space on the world's leading search engine. Researchers initially stumbled upon suspicious activity linked to Google accounts, and a closer investigation revealed it was tied to malicious ads promoting Google Ads itself.

Clicking the 3-dot menu to view more information about the advertiser displayed the victim's name, revealing it was not Google. Instead, it was one of the many compromised accounts being exploited to deceive additional users.

When victims click on these fraudulent ads, they are redirected to a page resembling the Google Ads homepage but oddly hosted on Google Sites. These pages serve as gateways to external websites crafted to steal the usernames and passwords of targeted advertisers' Google accounts.

After victims click the “Start now” button on the Google Sites page, they are redirected to another site containing a phishing kit. JavaScript code fingerprints users as they proceed through each step, ensuring that all critical data is covertly collected.

Finally, all the data, including the username and password, is combined and sent to a remote server via a POST request. Researchers have observed that the criminals also receive the victim's geolocation, pinpointing the city and internet service providers.

Researchers have identified two main groups of criminals running this scheme. The more prolific group consists of Portuguese speakers, likely operating from Brazil, while the other group is Chinese.

Conclusion

As fraudulent ads remain a growing threat, researchers advise users to be especially cautious with sponsored results. Ironically, individuals and businesses running ad campaigns often avoid using ad-blockers to view their ads and those of competitors, making them more vulnerable to these phishing schemes.