Cybercriminals are now leveraging Google search advertisements to promote phishing sites designed to steal advertisers’ credentials for the Google Ads platform.

These malicious actors run deceptive ads that mimic legitimate Google Ads campaigns, luring victims into a well-crafted trap.

The scam begins with fake ads appearing as sponsored results on Google Search. These ads redirect unsuspecting users to phishing pages hosted on Google Sites, carefully designed to resemble the official Google Ads login page. By hosting phishing pages on Google Sites, attackers exploit the trust associated with Google’s domain (sites.google.com) to give their operation an air of legitimacy.

Jérôme Segura, Senior Director of Research at Malwarebytes, highlighted how attackers bypass Google’s domain-matching rules: “You cannot show a URL in an ad unless your landing page matches the same domain name. While this rule is meant to protect against abuse, attackers exploit it by hosting their phishing pages on sites.google.com, which shares the same root domain as ads.google.com. This makes their fake ads almost indistinguishable from legitimate ones.”

Buy Me a Coffee

How the Scam Works

Victims who fall for these phishing schemes go through a multi-step attack flow:

  1. They enter their Google account credentials on the fake login page.
  2. The phishing kit captures sensitive data, including credentials, cookies, and unique identifiers.
  3. Victims often receive email alerts about suspicious logins, typically from unusual locations like Brazil.
  4. If they fail to act quickly, attackers add a new administrator to the victim’s Google Ads account via a separate Gmail address.
  5. The attackers then take control, lock out the original account owner, and use the stolen account to spend ad budgets recklessly or sell access on hacking forums.
READ
UnitedHealth Confirms Ransomware Attack Affected 190 Million Americans, Nearly Doubling Earlier Estimates

Malwarebytes Labs has linked these operations to at least three cybercrime groups. These include Portuguese-speaking attackers likely based in Brazil, threat actors from Asia using advertiser accounts in Hong Kong or China, and a third group believed to be from Eastern Europe.

Google’s Response

When asked about these attacks, a Google spokesperson stated: “We expressly prohibit ads that deceive users to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.” In 2023 alone, Google removed 206.5 million ads for violating its Misrepresentation Policy and suspended over 5.6 million advertiser accounts.

As phishing schemes continue to grow in sophistication, advertisers must remain vigilant. Using tools like multi-factor authentication (MFA) and regularly monitoring account activity can help mitigate the risks posed by these deceptive campaigns.