Criminals Ransack Advertiser Accounts Via Fake Google Ads

At the end of January 2025, a sophisticated and large-scale hacking attack targeting Google Ads accounts of many advertisers was discovered. According to a report from Malwarebytes Labs, hackers are using Google's own search ads to scam users and steal login information.

How the Attack Works

Hackers are deploying fraudulent search ads that imitate the Google Ads landing page, appearing as sponsored ad results when users search for "Google Ads." Upon clicking, users are redirected to counterfeit pages hosted on Google Sites, which resemble the official Google Ads homepage.

Exploiting the fact that the URL of Google Sites (sites.google.com) shares the root domain with Google Ads (ads.google.com), hackers can effectively conceal their actual target. This strategy enables them to circumvent Google's policy requiring the display URL in ads to match the final destination URL.

Hacker Groups Involved

Malwarebytes Labs has identified at least three hacker groups involved in this attack:

1. Portuguese Group, Possibly Operating from Brazil

   • This group is the most active, with over 50 fraudulent ads reported within a few days.

   • They utilize JavaScript with comments in Portuguese in the source code.

   • Numerous victims have received notifications from Google regarding suspicious logins originating from Brazil.

2. Group from Asia, Utilizing Ad Accounts from Hong Kong or China

   • They also employ Google Sites to host counterfeit pages.

   • Their source code includes comments in Chinese.

3. A Third Group, Possibly from Eastern Europe

   • Their primary objective is the distribution of malware rather than account theft.

Attack Flow

1. Fraudulent Ads: Hackers develop deceptive Google Ads search advertisements.

2. Intermediate Page: Users are redirected to a Google Sites page that mimics the Google Ads homepage.

3. Phishing Page: By clicking "Get Started Now," users are directed to a genuine-looking page intended to capture login credentials.

4. Data Collection: JavaScript code gathers browser fingerprints and transmits the data to a remote server.

Objective of the Attack

The primary aim of the hackers is to resell the compromised accounts on hacking forums and utilize some for conducting similar attacks. Stolen Google Ads accounts are particularly valuable as they enable attackers to run fraudulent ads or distribute malware on the Google platform.

Google's Response

Google has recognized the issue and is actively investigating and addressing it. The company has reiterated its strict prohibition against ads designed to deceive users or commit fraud. In 2023, Google removed over 206.5 million ads that violated fraud policies, deleted more than 3.4 billion ads, restricted over 5.7 billion ads, and suspended more than 5.6 million advertiser accounts.

Conclusion

This attack ranks among the most significant online fraud incidents tracked by Malwarebytes, impacting thousands of Google customers globally. Users should exercise caution when accessing ad landing pages and consider using ad blockers to mitigate these threats. Raising awareness about cybersecurity and implementing security measures such as two-factor authentication are essential to prevent such attacks.tacks.

Reference

1. Hackers use Google Search ads to steal Google Ads accounts

2. Hackers Target Google Ad Accounts—With Google Ad Phishing Scams

3. The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

4. Attackers Hijack Google Advertiser Accounts to Spread Malware