Attackers Hijack Google Advertiser Accounts to Spread MalwareAttackers Hijack Google Advertiser Accounts to Spread Malware

In an especially brazen tactic, multiple threat actors are impersonating Google Ads login pages to trick advertisers into handing over their account credentials.

The attackers — from regions as geographically dispersed as South America, Asia, and Eastern Europe — are then using the hijacked accounts in real-time to buy and distribute malicious advertisements and malware via Google Ads.

'Most Egregious' Malvertising Campaign Ever

The scammers appear to be succeeding in many cases because their ads are allowed to show an ads.google.com URL. This makes them virtually indistinguishable from legitimate Google ads, according to researchers at Malwarebytes, who spotted the malicious activity recently.

"This is the most egregious malvertising operation we have ever tracked, getting to the core of Google's business and likely affecting thousands of their customers worldwide," Malwarebytes researcher Jerome Segura wrote in a blog post this week. "We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication."

Google Ads is an advertising platform that enables businesses and individuals to display targeted ads across Google's search results, websites, mobile apps, and other online properties, based on user search behavior and interests. Often, the top search results are sponsored, meaning someone paid for that high visibility. For context, Google Search generated some $175 billion in ad revenue in 2023.

Related:CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

According to Segura, there has been a recent flood of fake sponsored ads for Google Ads directed at businesses and individuals looking to advertise on Google Search or wanting to sign in to their Google Ads accounts. The ads appear to be from Google and purport to either help people sign up for a Google Ads account or to sign in to an existing account. Users clicking on these ads are directed to a fake Google Ads home page from which they are directed to external sites designed specifically to steal usernames and passwords to the advertiser's Google accounts.

The attackers are using Google's free website creation platform, Google Sites, to host the lure pages. It is a tactic that Segura says allows them to trivially bypass a Google policy that allows advertisers to include a URL in their ads only if the URL matches the domain name of the advertiser. "Looking back at the ad and the Google Sites page, we see that [the] malicious [ads do] not strictly violate the rule since sites.google.com uses the same root domains as ads.google.com," Segura said. "In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC."

Related:OWASP's New LLM Top 10 Shows Emerging AI Threats

Google Is Actively Investigating Cyberattacks

In an emailed comment, a Google spokesman said the company is currently "actively investigating" the issue and working on a quick fix for the problem. "We expressly prohibit ads that aim to deceive people in order to steal their information or scam them," the spokesperson said.

As context, the spokesperson pointed to the growing sophistication and scale of malvertising campaigns and noted instances where threat actors have created thousands of malicious accounts simultaneously to distribute malicious ads on Google properties. Often these actors are using techniques such as text manipulation to get around automation detection mechanisms. In other instances, they use cloaking tactics to show Google reviewers and systems different ads from the ones that users end up seeing. "To provide a sense of the scale of our enforcement efforts in 2023, we removed over 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts," the spokesman said.

Impersonating Google Ads: Simple & Effective Social Engineering

Related:Apple Bug Allows Root Protections Bypass Without Physical Access

In comments to Dark Reading, Segura says the most notable part of the new malicious activity is the impersonation of the Google Ads brand by combining Google Sites URLs with the ads. "It's a simple and yet effective trick that makes those ads incredibly hard to differentiate from the real ones," Segura says. Complicating matters is the fact that bad actors are often using compromised Google Ads accounts to place even more fake ads in Google Search, making the activity challenging to stop.

Google should be making it harder for bad actors to pull off such impersonation schemes, he says. "The 'how' is more complicated, as it involves reviewing business practices and … existing security policies."

Segura says Malwarebytes is tracking and reporting each malvertising incident it comes across via a live tracker that the Google Ads team can access. "This has been a helpful tool for us, not only to make the reporting process easier but also to keep a historical record," he notes. Google's response has consisted of taking action on ads that Malwarebytes report. "[But] the threat actors are able to get right back as if the campaign never stopped. We are talking about dozens of accounts that get burned but yet there are enough to keep this going indefinitely."