
Cybercriminals from Brazil and Asia are placing malicious ads on Google that impersonate the company's own Google Ads platform. Users are tricked into providing their login credentials, feeding a perpetual cycle that allows criminals to compromise and sell even more accounts.
Malwarebytes Labs discovered that fraudulent ads on Google search appear as legitimate Google Ads platforms. For example, an unsuspecting advertiser could enter Google Ads in the search bar. The sponsored malicious post would appear at the top, which, when clicked, would lead to a fake Google Ads login screen.
From here, mimicking the legitimate platform, hackers would collect user credentials and create rogue admin accounts.

“This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide,” Malwarebytes Labs researchers said.
They believe that cybercrooks’ goal is to resell stolen accounts on blackhat forums while also keeping some to themselves to perpetuate their campaigns.
“Stolen Google Ads accounts are a valuable commodity among thieves.”

It is not very obvious that the malicious ad doesn’t come from Google. Users can click on the 3-dot menu, which reveals more information about the advertiser. Here, the advertiser will usually be marked as verified by Google. However, clearly, in this case, it is not Google itself.
The researchers also found different variants targeted at those who want to sign up or sign in for services.
The threat actors behind the campaigns use various advertiser accounts on Google ads from individuals and businesses in different locations.
“Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company,” the researchers noted.
The phishing pages are often hosted on Google Sites, the tech giant’s free web page creation tool. This allows attackers to craft a URL that matches Google’s domain name and makes it indistinguishable from a legitimate Google ad.
In just a few days, the researchers discovered and reported over 50 fraudulent ads and were able to contact victims who not only saw the ads but were also scammed and lost money. And Google’s defenses appear toothless.
“We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7,” Malwarebytes Labs said.
Victims have shared that they had received a notification from Google indicating suspicious logins from Brazil.
“We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese speakers likely operating out of Brazil.”
Another group with the same kind of delivery chain but a different phishing kit was using accounts from Hong Kong and appeared to be Asia-based.
The third campaign, impersonating Google Authenticator, utilizing a fake CAPTCHA lure and heavy obfuscation on the phishing page, was likely to originate from Eastern Europe. Similar campaigns have been observed before.
Cybernews previously reported that malicious ads often involve multiple hops before finally arriving at the phishing portal. This helps cybercriminals hide their tracks and maintain persistence.
Malwarebytes Labs researchers are not fully convinced that Google takes definitive steps to freeze such accounts. One compromised advertiser had been reported 30 times, yet was still active.
“Crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns,” the report reads.
Google is aware of malicious ad campaigns and continues to take enforcement measures against them, actively reviewing the ads and associated accounts and taking the appropriate actions. The company has strict ad policies that govern the types of ads and advertisers we allow on our platforms.
“We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it,” Google Ads said in a statement.
The company observes threat actors operating with more sophistication and at a greater scale, using a variety of tactics to evade our detection. This includes creating thousands of accounts simultaneously and using techniques such as text manipulation to circumvent automated detection and cloaking to show our reviewers and systems different ad content than they’d show a user — both make content more difficult to detect and enforce against.
In 2023, Google removed over 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts.
Updated on January 16th [09:00 a.m. GMT] with a statement from Google Ads.
Your email address will not be published. Required fields are markedmarked