According to the researcher, When users search for Google Ads, they are redirected to fake login pages hosted on Google Sites, where their credentials and two-factor authentication (2FA) codes are captured via WebSockets and exfiltrated to remote servers controlled by the attackers. The stolen credentials are then used to access Google Ads accounts, where attackers add new administrators and exploit the accounts' budgets for fake ad campaigns. The end goal is twofold: perpetuate the campaign by compromising more accounts and selling stolen credentials on underground forums.

A notable aspect of this campaign is its abuse of Google Ads' lenient policies, which allow display URLs to differ slightly from final URLs as long as the domains match. This loophole enables threat actors to host phishing pages on trusted platforms like Google Sites while showing legitimate-looking URLs in the ads. To enhance their attack's effectiveness, the adversaries employ advanced techniques such as fingerprinting, anti-bot traffic detection, CAPTCHA-inspired lures, cloaking, and obfuscation. These methods ensure the phishing infrastructure remains concealed from automated detection and cybersecurity measures.

The attackers, suspected to be Portuguese-speaking individuals likely based in Brazil, use intermediary domains with the ".pt" top-level domain, indicative of their regional base of operations. The malicious activity has been active since at least mid-November 2024 and is reminiscent of other campaigns that hijack social media advertising accounts for malvertising purposes. Google has acknowledged the issue and stated its commitment to combating such threats. However, researchers highlight that Google’s ad policies inadvertently allow such campaigns to thrive, as fraudulent URLs can still appear legitimate.

This campaign highlights broader cybersecurity concerns including the use of reputable platforms like YouTube and SoundCloud to distribute malware via links to fake software installers. Attackers rely on trusted file hosting services like Mediafire and Mega.nz to evade detection. The malware payloads, such as Amadey, Lumma Stealer, Mars Stealer, and others, are often password-protected and encoded, making them harder to analyze. These developments emphasize the need for stricter enforcement of ad and platform policies to protect users and businesses from evolving threats.

Impact

• Credential Theft
• Gain Access

Remediation

• Google should mandate stricter checks for URL authenticity in advertisements by requiring the final URL and display URL to match exactly.
• Implement enhanced manual and automated reviews for ads originating from regions or accounts flagged for suspicious activities.
• Introduce real-time monitoring to detect and block malicious campaigns using techniques like cloaking, obfuscation, or domain impersonation.
• Advertisers should enable advanced security measures such as multi-factor authentication (MFA) and hardware-based security keys for their accounts.
• Regularly review account activity logs for unauthorized changes or administrator additions.
• Implement IP whitelisting to restrict account access to specific trusted networks.
• Distribute warnings about the ongoing threat to advertisers via Google’s platform, support forums, and other communication channels.
• Encourage users to bookmark official login pages to prevent accidental clicks on fraudulent ads.
• Integrate AI-based tools to identify patterns of malicious behavior, such as rapid account takeovers or unusual spending activities.
• Flag and investigate accounts showing signs of compromise, such as multiple administrator additions in short periods.
• Increase collaboration with external cybersecurity firms to share intelligence on new attack tactics and tools.
• Allow advertisers to set spending limits or alert thresholds for unusual ad spending activity.
• Enable a feature for instant account locking or administrator removal in case of suspected compromise.
• Provide immediate notifications for any account changes, including login attempts from unrecognized devices or locations.
• Ensure hosting services like Google Sites adopt additional verification measures for pages created to prevent phishing and malicious use.
• Regularly audit and purge domains or pages hosting fraudulent content.
• Collaborate with domain registrars and regional authorities to blacklist or suspend malicious domains used in phishing campaigns.
• Immediately reset credentials and enable MFA for compromised accounts.
• Review and revoke suspicious administrator access.
• Report fraudulent ads and phishing pages to Google’s support team for swift action.
• Utilize endpoint security tools to detect and remove malware if credentials were stolen on infected devices.