Hackers use Google Search ads to steal Google Ads accounts

​Ironically, cybercriminals now use Google search advertisements to promote phishing sites that steal advertisers' credentials for the Google Ads platform.

The attackers are running ads on Google Search impersonating Google Ads, showing as sponsored results that redirect potential victims to fake login pages hosted on Google Sites but looking like the official Google Ads homepage, where they are asked to log into their accounts.

Google Sites is used to host phishing pages because it allows attackers to camouflage their fake ads, given that the URL (sites.google.com) matches Google Ads' root domain for complete impersonation.

"Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around," said Jérôme Segura, Senior Director of Research at Malwarebytes.

"Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since sites.google.com uses the same root domains ads ads.google.com. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC."

​According to people who either fell victim to these attacks or saw them in action, the attacks include multiple stages:

1. The victim enters their Google account information into the phishing page.
2. The phishing kit collects unique identifiers, cookies, and credentials.
3. The victim may receive an email indicating a login from an unusual location (Brazil)
4. If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address.
5. Threat actor goes on a spending spree and locks out the victims if they can

At least three cybercrime groups are behind these attacks, including Portuguese speakers most likely operating out of Brazil, Asia-based threat actors using advertiser accounts from Hong Kong (or from China), and a third gang likely made out of Eastern Europeans.

Malwarebytes Labs, which spotted this ongoing campaign, believes that the criminals' end goal is to sell the stolen accounts on hacking forums and use some of them to run future attacks using the same phishing techniques.

"This is the most egregious malvertising operation we have ever tracked, getting to the core of Google's business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication," Segura added.

"Ironically, it's quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes."

Stolen Google Ads accounts are highly sought after by cybercriminals, who regularly use them as fuel in other attacks that also abuse Google search ads to push malware and various scams.

"We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it," Google told BleepingComputer when asked to provide more details on the attacks.

Throughout 2023, Google also blocked or removed 206.5 million advertisements for violating its Misrepresentation Policy. It also removed over 3.4 billion ads, restricted over 5.7 billion, and suspended over 5.6 million advertiser accounts.