Get a Quote

• admin
• January 20, 2025
• No Comments

Introduction

Cybersecurity researchers have uncovered a sophisticated malvertising campaign targeting individuals and businesses using Google Ads. This scheme, first reported in mid-November 2024, involves phishing credentials and two-factor authentication (2FA) codes through fraudulent ads on Google’s platform. The attackers aim to hijack advertiser accounts to further propagate the scam, impacting businesses globally.

How the Malvertising Scam Works

This malicious campaign revolves around impersonating Google Ads through fraudulent advertisements. Here’s a step-by-step breakdown of the operation:

1. Deceptive Ads on Google: Cybercriminals create fake Google Ads that mimic legitimate ads. These ads target users searching for “Google Ads” on Google’s search engine.
2. Redirect to Fraudulent Sites: When clicked, these ads redirect victims to fake login pages hosted on Google Sites. The display URLs appear legitimate (e.g., ads.google[.]com), but the final URLs are fraudulent.
3. Phishing for Credentials and 2FA Codes: On these fake login pages, users are prompted to enter their Google Ads credentials and 2FA codes. These details are exfiltrated in real time to servers controlled by the attackers using WebSocket protocols.
4. Account Hijacking: The stolen credentials are used to access victims’ Google Ads accounts. Attackers add new administrators and exploit the accounts’ advertising budgets to run malicious ads, perpetuating the scam.

Advanced Tactics Employed by Attackers

The campaign stands out due to the ingenious techniques used to evade detection and enhance its effectiveness:

• Bypassing URL Restrictions: Google Ads’ policies allow the display URL to differ slightly from the final URL as long as the domains match. Attackers exploit this by hosting intermediate landing pages on sites.google[.]com, leading victims to phishing pages.
• Obfuscation and Cloaking: Techniques such as anti-bot traffic detection, fingerprinting, and CAPTCHA-inspired lures are used to filter out researchers and security tools, ensuring the phishing infrastructure remains hidden.
• Sophisticated Infrastructure: The phishing campaign relies on intermediary domains with the .pt top-level domain (indicative of Portugal). The majority of the threat actors are believed to be Portuguese speakers, potentially operating out of Brazil.

Impacts of the Scam

The consequences of this malvertising campaign are far-reaching:

• Financial Losses: Victims’ advertising budgets are drained to fund the attackers’ campaigns.
• Reputation Damage: Businesses lose trust as their accounts are used for malicious purposes.
• Secondary Exploitation: Stolen credentials are sold on underground forums, increasing the risk of further misuse.

Google’s Response

Google has acknowledged the issue, stating that such campaigns violate its ad policies. In 2023, Google took action against malicious ads by:

• Removing over 3.4 billion ads
• Restricting over 5.7 billion ads
• Suspending over 5.6 million advertiser accounts

Despite these efforts, the current campaign highlights gaps in the enforcement of ad policies. Google has assured that it is investigating the issue and implementing measures to address the abuse.

Broader Implications of Malvertising

This campaign is not an isolated incident. Similar tactics have been used to target Facebook advertising accounts, where stealer malware is deployed to hijack accounts for running malicious ads. Additionally, platforms like YouTube and SoundCloud have been leveraged to distribute malware disguised as pirated software installers. Popular malware families, including Amadey, Lumma Stealer, and Vidar Stealer, are deployed via these channels.

Protecting Yourself from Malvertising Scams

To mitigate the risks of falling victim to such campaigns, businesses and individuals should adopt the following best practices:

1. Verify URLs: Always check the URL of the login page before entering credentials. Ensure it is the official Google Ads domain.
2. Enable Multi-Factor Authentication (MFA): While 2FA codes are targeted in this campaign, using app-based MFA or physical security keys adds an extra layer of security.
3. Regularly Monitor Accounts: Keep track of account activity for any unauthorized changes or suspicious ads.
4. Educate Employees: Train staff to recognize phishing attempts and understand the risks of malvertising campaigns.
5. Use Security Solutions: Deploy advanced anti-malware and anti-phishing tools to detect and block malicious activities.

Conclusion

The discovery of this malvertising campaign underscores the importance of robust cybersecurity measures. As attackers continue to exploit gaps in ad platforms and user awareness, businesses must remain vigilant and proactive in securing their accounts. Collaboration between platform providers, cybersecurity researchers, and users is essential to combat these evolving threats.