Full Report
Cybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. "The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jérôme Segura, senior director of
Analysis Summary
# Incident Report: Google Ads Malvertising Credential Theft Campaign
## Executive Summary
A widespread malvertising campaign actively targeted individuals and businesses using Google Ads, leveraging fraudulent advertisements to redirect victims to sophisticated phishing pages designed to harvest Google Ads credentials, including 2FA codes. The attackers successfully compromised numerous accounts, using the stolen access to perpetuate the campaign further by spending the victims' ad budgets on additional malicious advertisements, suggesting an organized effort possibly originating from Portuguese speakers, likely based in Brazil.
## Incident Details
- **Discovery Date:** Mid-November 2024 (Date when activity was first reported/observed by researchers/users)
- **Incident Date:** Active since at least Mid-November 2024
- **Affected Organization:** Google Ads Advertisers (Individuals and Businesses)
- **Sector:** Advertising, Various Industries
- **Geography:** Global targets, though infrastructure suggests potential origin in Brazil/Portugal ecosystem
## Timeline of Events
### Initial Access
- **Date/Time:** Activity active since mid-November 2024. Exact initial compromise dates unknown.
- **Vector:** Malvertising via Google Ads search results.
- **Details:** Attackers create fraudulent ads deceptively labeled for Google Ads services. These ads exploit the Google Ads policy allowing display URLs to differ from the final URL, provided the domains match (e.g., using `ads.google.com` as display and redirecting via `sites.google.com`).
### Lateral Movement
- **Details:** Once credentials are stolen, attackers gain access to the victim's Google Ads account. They immediately add a new administrator account to maintain persistent access, suggesting a form of internal lateral movement within the victim's advertising platform access.
### Data Exfiltration/Impact
- **Details:** Primary 'exfiltration' involves harvesting user credentials (including 2FA codes) via the WebSocket connection on the phishing page. The immediate operational impact is the hijacking of the victim's advertising budget to promote further fraudulent ads (self-propagation). The suspected long-term goal includes selling stolen credentials.
### Detection & Response
- **Details:** The phishing activity was identified and highlighted by cybersecurity researchers (Malwarebytes), following numerous user reports across Reddit, Bluesky, and official Google support forums.
- **Response actions taken:** Public disclosure and alerting of the threat in progress by researchers. (Note: The article implies Google has not yet taken definitive steps to freeze compromised accounts.)
## Attack Methodology
- **Initial Access:** Malvertising (Fake Google Ads leading to redirection chains).
- **Persistence:** Adding a new administrator account to the compromised Google Ads account.
- **Privilege Escalation:** N/A (Direct initial access to the advertising management platform).
- **Defense Evasion:** Use of cloaking, fingerprinting, anti-bot traffic detection, and a CAPTCHA-inspired lure to conceal the malicious infrastructure from automated security scans.
- **Credential Access:** Phishing (capturing login credentials and 2FA codes via a WebSocket connection).
- **Discovery:** Not explicitly detailed, but the attack targets users specifically searching for "Google Ads."
- **Lateral Movement:** Within the compromised advertising account by adding new compromised users.
- **Collection:** Harvesting credentials and 2FA tokens.
- **Exfiltration:** Exfiltrated credentials/2FA codes were sent to a remote server controlled by the attacker via a WebSocket connection.
- **Impact:** Hijacking ad budgets and propagating the scam.
## Impact Assessment
- **Financial:** Potential loss of advertising budget funds used by attackers; recovery costs for victims.
- **Data Breach:** Sensitive user credentials (likely including payment information linked to the Ads account, personal/business contact details associated with the account).
- **Operational:** Disruption to legitimate advertising campaigns and time spent by victims dealing with account compromise.
- **Reputational:** Negative impact on the trust users place in Google Search and Ads transparency.
## Indicators of Compromise
- **Network indicators (Defanged):** Phishing sites hosted on external domains, potentially using `.pt` TLD intermediary domains.
- **File indicators:** N/A (Browser-based phishing, no common malware file download mentioned).
- **Behavioral indicators:** Redirection from a Google Search result (even if the display URL looks legitimate) to an intermediate site (e.g., `sites.google.com`) before hitting the final login page.
## Response Actions
- **Containment measures:** (Implied need for victims to immediately review account settings and remove newly added administrators).
- **Eradication steps:** (Implied need for victims to change all affected passwords and enable stronger 2FA methods).
- **Recovery actions:** Account restoration and auditing of ad spending.
## Lessons Learned
- Google Ads policy regarding the separation of Display URL and Final URL, while technically allowed when domains match, is being actively exploited to host phishing landing pages on trusted platforms like Google Sites.
- Threat actors are sophisticated, employing multi-stage redirection, cloaking, and anti-bot measures to bypass scrutiny.
- The campaign demonstrates a self-perpetuating cycle where compromised accounts are used to recruit new victims, increasing the scale rapidly.
## Recommendations
- Google should review and potentially tighten policies regarding the acceptable use of Google Sites (or similar trusted platforms) as intermediate links in complex redirection chains for high-value services like Google Ads.
- Advertisers must treat all search result advertisements with extreme caution, verifying the actual destination URL rather than relying solely on the displayed URL text.
- Advertisers should implement hardware security keys for 2FA whenever possible, as they are resistant to WebSocket-based token harvesting attacks.