|

Loading ...
|
|
|
|
pages views since 05/19/2016 : 142991
· Members : 7
· News : 806
· Downloads : 0
· Links : 0
|
|
|
|
Malvertising Scam Targets Google Ads Users.
|
|
|
Posted by Okachinepa on 01/16/2025 @


Courtesy of SynEvol
Credit: Malwarebytes
Researchers studying cybersecurity have warned of a new malvertising effort that aims to phish for users' credentials through phoney Google ads, targeting both individuals and companies that use Google Ads.
Jérôme Segura, senior head of threat intelligence at Malwarebytes, told The Hacker News that the plan is to "steal as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages."
It is believed that the campaign's ultimate objective is to sell the credentials to other criminal actors on underground forums and use them again to continue the activities. Posts on Google's support forums, Bluesky, and Reddit indicate that the threat has been active since at least mid-November 2024.\
The activity cluster has a striking resemblance to operations that use stealer malware to obtain information about Facebook business and advertising accounts, then use the accounts to launch push-out malvertising campaigns that spread the malware.
In order to deliver fake Google Ads advertisements that, when clicked, link visitors to fraudulent websites hosted on Google Sites, the recently discovered effort explicitly targets people who search for Google Ads on Google's own search engine.
Following that, these websites work as landing pages that direct users to external phishing websites that are made to obtain their login credentials and two-factor authentication (2FA) codes using a WebSocket and exfiltrate them to a distant server that is controlled by the attacker.
"The fake ads for Google Ads come from a variety of individuals and businesses (including a regional airport), in various locations," Segura stated. "Some of those accounts already had hundreds of other legitimate ads running."

Courtesy of SynEvol
Credit: Malwarebytes
One clever feature of the campaign is that it makes use of the fact that, provided the domains match, Google Ads does not require the final URL—the page that people see after clicking on the ad—to match the display URL.
This enables the threat actors to maintain the display URLs as ads.google[.]com while hosting their intermediate landing pages on sites.google[.]com. Furthermore, the method involves hiding the phishing infrastructure through cloaking, obfuscation, fingerprinting, anti-bot traffic detection, and a lure modeled after CAPTCHA.
According to Malwarebytes, the stolen login credentials are then misused to access the victim's Google Ads account, create a new administrator, and use their spending funds for phony Google advertisements.
To put it another way, the threat actors are using Google Ads accounts to promote their own advertisements in an effort to increase the number of victims in the expanding number of compromised accounts that are used to further spread the scam.
"There appears to be several individuals or groups behind these campaigns," Segura stated. Interestingly, most of them speak Portuguese and are probably based in Brazil. The intermediary domains used by the phishing infrastructure use the Portuguese top-level domain (TLD),.pt.
"Google's ad guidelines are not broken by this malicious ad activity. In their advertisements, threat actors are permitted to display phony URLs that are identical to authentic ones. Until their security is restored, Google has not yet demonstrated that it takes decisive action to freeze such accounts.
"We specifically forbid advertisements that seek to deceive people in order to steal their information or scam them," a Google representative told The Hacker News in a statement. Our teams are working swiftly to resolve this issue and are currently looking into it."
Google also acknowledged the existence of these malicious ad campaigns and stated that it is constantly monitoring its ad network for misuse and taking enforcement action against advertisers who use their ads to deceive users by hiding or misrepresenting information about their company, goods, or services.
Additionally, it reported that in 2023, it suspended more than 5.6 million advertising accounts, limited more than 5.7 billion ads, and eliminated more than 3.4 billion ads. Its Misrepresentation Policy resulted in the blocking of 206.5 million of these ads.
The revelation follows Trend Micro's discovery that hackers are leveraging websites like SoundCloud and YouTube to spread links to phony installers for pirated versions of well-known software, which eventually results in the spread of several malware families including Amadey and Lumma Vidar Stealer, PrivateLoader, Penguish, Mars Stealer, and Stealer.
"Threat actors often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware and make detection and removal more difficult," the business stated. "Many malicious downloads are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection."
|
|
|