HQ/EMEAFind out how we can help your business
Fraudsters have an ongoing malicious campaign that leverages Google Search ads to push phishing websites to visitors and steal advertisers’ Google Ads credentials.
Reports revealed that threat actors are operating adverts on Google Search that mimic Google Ads. These ads also appear as sponsored results and redirect potential victims to fake login sites hosted on Google Sites. Moreover, these domains appear legitimate but look like genuine Google Ads homepages that efficiently prompt targets to give and log in to their accounts.
Researchers noted that hackers use Google Sites to host phishing pages because it helps them hide their false adverts. The URL matches Google Adverts’ root domain for complete impersonation.
According to witnesses who were either victims of these attacks or witnessed them in action, the attacks include multiple stages. The initial process is tricking victims into submitting their Google account details on the phishing site. Next, the malicious kit collects identifiers, login passwords, and cookies.
Subsequently, the victim will receive an email that indicates a login from an unexpected location. If the victim fails to stop the effort, the operation will generate a new admin for the Google Ads account using a different Gmail address. The threat actors go on a spending binge and, if possible, lock out the victims.
Multiple threat groups may be running the Google Search ads phishing sites.
At least three cybercriminal organisations are responsible for these fraudulent Google Search ads campaigns. The alleged attackers originate from various locations. Some are Portuguese speakers, most likely working out of Brazil, Asia-based threat actors using advertiser accounts from China, and Eastern European hackers.
Furthermore, the researchers suspect that the primary objective of these cybercriminals is to sell the stolen accounts on the dark web hacking forums and utilise some of them to carry out further phishing assaults or social engineering campaigns.
These stolen Google advertisement accounts are highly in demand among cybercriminals since most of them frequently use the info to execute other cybercriminal activities that need Google search advertisements to spread malware and other schemes.
