A new malvertising campaign targeting Google Ads users has been uncovered by cybersecurity researchers. The operation, active since mid-November 2024, aims to steal advertiser credentials through sophisticated phishing techniques.

The attackers create fraudulent Google Ads that appear when users search for Google’s advertising platform. When clicked, these ads redirect to convincing phishing sites hosted on Google Sites, ultimately capturing login credentials and two-factor authentication codes.

Key Features of the Attack:
– Exploits Google Ads’ URL display policy
– Uses sites.google.com to host malicious landing pages
– Employs advanced techniques including fingerprinting and anti-bot detection
– Primarily operated by Portuguese-speaking actors, likely from Brazil

Once credentials are stolen, attackers:
– Take control of victims’ Google Ads accounts
– Add unauthorized administrators
– Use advertising budgets to propagate more fraudulent ads
– Sell stolen credentials on underground forums

Google’s Response:
The company acknowledges the threat and states it prohibits deceptive ads. In 2023, Google:
– Removed 3.4 billion ads
– Restricted 5.7 billion ads
– Suspended 5.6 million advertiser accounts
– Blocked 206.5 million ads for misrepresentation

The campaign highlights growing concerns about malvertising and the sophisticated methods cybercriminals use to exploit legitimate advertising platforms for malicious purposes.