Malicious Google Ads Impersonation Campaign

In a particularly brazen tactic, multiple threat actors are impersonating Google Ads login pages to trick advertisers into handing over their account credentials.

The attackers, originating from regions as geographically dispersed as South America, Asia, and Eastern Europe, are then using the hijacked accounts in real-time to buy and distribute malicious advertisements and malware via Google Ads.

Most Egregious Malvertising Campaign Ever

The scammers appear to be succeeding in many cases because their ads are allowed to show an ads.google.com URL. This makes them virtually indistinguishable from legitimate Google ads, according to researchers at Malwarebytes, who spotted the malicious activity recently.

In comments to Dark Reading, Segura says the most notable part of the new malicious activity is the impersonation of the Google Ads brand by combining Google Sites URLs with the ads. "It’s a simple and yet effective trick that makes those ads incredibly hard to differentiate from the real ones," Segura says. Complicating matters is the fact that bad actors are often using compromised Google Ads accounts to place even more fake ads in Google Search, making the activity challenging to stop.

Need for Improved Google Ads Security

Google should be making it harder for bad actors to pull off such impersonation schemes, he says. "The ‘how’ is more complicated, as it involves reviewing business practices and existing security policies."

Malwarebytes’ Efforts to Combat Malvertising

Segura says Malwarebytes is tracking and reporting each malvertising incident it comes across via a live tracker that the Google Ads team can access. "This has been a helpful tool for us, not only to make the reporting process easier but also to keep a historical record," he notes. Google’s response has consisted of taking action on ads that Malwarebytes report. "[But] the threat actors are able to get right back as if the campaign never stopped. We are talking about dozens of accounts that get burned but yet there are enough to keep this going indefinitely."