Google Ads Malvertising Scam Is Out There to Get Online Advertisers
Table of Contents
A Sophisticated Deception Targeting Advertisers
Cybersecurity analysts have uncovered a deceptive scheme targeting businesses and individuals using Google Ads. This fraudulent campaign exploits Google’s advertising system to lure users into credential theft. Attackers are deploying misleading advertisements that masquerade as legitimate Google Ads promotions, leading unsuspecting users to phishing sites designed to harvest login information.
The primary objective of this campaign is to compromise as many advertising accounts as possible. By impersonating Google Ads, attackers redirect users to fraudulent login portals, where credentials and two-factor authentication (2FA) codes are stolen. These stolen accounts are then misused to further the scam, with cybercriminals potentially selling the hijacked credentials on illicit platforms.
Exploiting Google’s Own Advertising System
Reports from various online forums indicate that this campaign has been active since at least November 2024. The strategy mirrors previous schemes that targeted social media advertising accounts, where stolen credentials were used to run deceptive promotions. In this case, the fraudsters are taking advantage of Google’s search engine itself by injecting misleading ads into search results.
Users searching for Google Ads services are being presented with malicious ads that, when clicked, redirect them to phishing sites hosted on Google Sites. These fraudulent pages are engineered to look authentic, creating a convincing trap for unsuspecting victims. Once login details are submitted, the information is exfiltrated to an external server controlled by the attackers.
How the Attackers Bypass Security Measures
The campaign is particularly effective due to a loophole in Google Ads policies. Currently, Google Ads permits the display URL—the visible web address in the ad—to differ from the final URL as long as the domain matches. Exploiting this, fraudsters host their deceptive landing pages on Google Sites while displaying ads.google.com as the visible link, making them appear credible.
Additionally, advanced evasion techniques are in use, including fingerprinting, anti-bot detection, obfuscation, and CAPTCHA-based lures. These methods help conceal the fraudulent infrastructure, making it difficult for security systems to detect and block the malicious activity.
The Consequences of a Hijacked Advertising Account
Once attackers gain control over an advertising account, they manipulate it to serve their own purposes. Compromised accounts are used to publish additional fraudulent ads, creating a cycle that continuously expands the pool of hacked users. In some cases, new administrators are added to the victim’s account, allowing cybercriminals to maintain access even if the original user attempts to recover control.
Beyond immediate financial losses from unauthorized ad spending, affected users may face reputational damage. Advertisers whose accounts are hijacked could unwillingly promote malicious content, harming their brand credibility and causing further disruption to their business operations.
The Global Scale and Origins of the Scam
Cybersecurity researchers believe that multiple actors may be behind this fraudulent activity, with strong indications pointing toward groups operating in Portuguese-speaking regions, particularly Brazil. The infrastructure supporting this campaign includes intermediary domains with the .pt top-level domain, reinforcing the theory of a regional origin.
While Google has security measures in place to detect and remove deceptive ads, attackers continue to exploit weaknesses in the advertising system. The sheer scale of Google’s ad network makes it challenging to completely eliminate fraudulent activity, even as enforcement efforts intensify.
Google’s Response and the Ongoing Battle Against Fraudulent Ads
In response to these revelations, Google has stated that deceptive ads violating its policies are strictly prohibited. The company is actively investigating the issue and taking steps to address it. Google has highlighted its ongoing efforts to combat fraudulent advertisements, reporting that in 2023 alone, it removed over 3.4 billion ads, restricted more than 5.7 billion, and suspended approximately 5.6 million advertiser accounts.
Despite these measures, the persistence of fraudulent advertising campaigns underscores the need for advertisers to remain vigilant. Attackers continuously refine their tactics, making it crucial for users to be aware of the risks and take necessary precautions to protect their accounts.
Protecting Against Google Ads Malvertising Scams
To minimize the risk of falling victim to these scams, advertisers should adopt best practices for securing their accounts. Enabling strong authentication methods, such as hardware security keys, can help prevent unauthorized access. Regularly monitoring account activity and reviewing permissions for any unexpected changes is also essential.
Users should be cautious when clicking on Google Ads links, especially for services related to advertising. Instead of relying on search engine results, navigating directly to Google Ads through official bookmarks or manually entering the URL can reduce the risk of encountering fraudulent sites.
Bottom Line
The Google Ads malvertising scam serves as a stark reminder of the evolving tactics cybercriminals employ to exploit online advertising platforms. While Google continues to enhance its security mechanisms, advertisers must also remain vigilant and proactive in safeguarding their accounts. By staying informed and adopting robust security measures, businesses and individuals can better defend against these deceptive threats and maintain control over their advertising investments.
