More deceptive Google ads are popping up online – this time targeting Google advertisers.
Thieves are placing malicious Google ads that take users to a phishing page disguised as a Google Ads login page, which can trick ad account managers into entering their username and password on the site fake internet. According to a report from antivirus firm Malwarebytes, those phished ad account credentials are then likely sold to hacker sites.
Attacks like this – where cybercriminals use Google Ads’ high placement in search results to spread scams and malware – are also called “false authentication” attacks.
“This is the most egregious malverification operation we’ve ever tracked, reaching the core of Google’s business and likely affecting thousands of their customers around the world,” explains Malwarebytes security researcher Jérôme Segura, adding: “We have been reporting new incidents all the time and yet you continue to identify new ones, even at the time of publication.”
At least five individuals have already shared their experiences stumbling upon such phishing links when searching for Google Ads on Google. If a victim falls for the phishing scam, the swiped credentials are sent to the attacker, who can then add themselves as an administrator and steal the account. Some of the compromised accounts already had authentic ads running. PCMag has reached out to Google for comment.
Malicious ads used the URL “sites.google.com” to set up their fake login pages. They are set to target users in the US, Germany, Spain, Portugal, Greece, France, Italy, Romania and other countries. Many of the suspicious account logins that occur after victims’ accounts are compromised occur from Brazil, so the attackers may be located there.
“This is the ultimate full-circle social engineering trick,” cybersecurity expert Roger Grimes — a “data-driven defense evangelist” at security firm KnowBe4 — tells PCMag via email, adding: “The everyone, regardless of role, can be a potential target of fraud Until Google technically understands this, advertisers need to be educated on how to recognize these ad-based phishing attacks and how to properly mitigate and report them.”
Recommended by our Editors
Unfortunately, fraudsters have been abusing Google Ads for years. Last year, hackers reportedly placed ads for fake authenticators that distributed malware if downloaded and mimicked the Bitwarden password manager. And in 2022, the FBI advised internet users to install ad blockers to eliminate those annoying Google search ads entirely for security reasons.
A Google representative previously told PCMag that the company doesn’t allow ads that are deceptive or distribute malware, and it removes malicious ads and suspends the accounts of associated advertisers when it finds them. It also advises users to report malicious ads when they see them. Google removed over 3.4 billion ads and 5.6 million advertiser accounts in 2023.
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. By clicking the button, you confirm that you are over 16 years of age and agree to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.
About Kate Irwin
journalism
