Cybersecurity researchers have alerted to a brand new malvertising marketing campaign that is concentrating on people and companies promoting through Google Adverts by trying to phish for his or her credentials through fraudulent adverts on Google.
“The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages,” Jérôme Segura, senior director of menace intelligence at Malwarebytes, stated in a report shared with The Hacker Information.
It is suspected the tip aim of the marketing campaign is to reuse the stolen credentials to additional perpetuate the campaigns, whereas additionally promoting them to different prison actors on underground boards. Based mostly on posts shared on Reddit, Bluesky, and Google’s personal assist boards, the menace has been energetic since not less than mid-November 2024.
The exercise cluster is lots much like campaigns that leverage stealer malware to steal information associated to Fb promoting and enterprise accounts to be able to hijack them and use the accounts for push-out malvertising campaigns that additional propagate the malware.
The newly recognized marketing campaign particularly singles out customers who seek for Google Adverts on Google’s personal search engine to serve bogus adverts for Google Adverts that, when clicked, redirect customers to fraudulent websites hosted on Google Websites.
These websites then function touchdown pages to guide the guests to exterior phishing websites which might be designed to seize their credentials and two-factor authentication (2FA) codes through a WebSocket and exfiltrated to a distant server underneath the attacker’s management.
“The fake ads for Google Ads come from a variety of individuals and businesses (including a regional airport), in various locations,” Segura stated. “Some of those accounts already had hundreds of other legitimate ads running.”
An ingenious facet of the marketing campaign is that it takes benefit of the truth that Google Adverts doesn’t require the ultimate URL – the online web page that customers attain once they click on on the advert – to be the identical because the show URL, so long as the domains match.
This enables the menace actors to host their intermediate touchdown pages on websites.google[.]com whereas holding the show URLs as adverts.google[.]com. What’s extra, the modus operandi entails the usage of methods like fingerprinting, anti-bot visitors detection, a CAPTCHA-inspired lure, cloaking, and obfuscation to hide the phishing infrastructure.
Malwarebytes stated the harvested credentials are subsequently abused to check in to the sufferer’s Google Adverts account, add a brand new administrator, and make the most of their spending budgets for faux Google adverts.
In different phrases, the menace actors are taking on Google Adverts accounts to push their very own adverts to be able to add new victims to a rising pool of hacked accounts which might be used to perpetuate the rip-off additional.
“There appears to be several individuals or groups behind these campaigns,” Segura stated. “Notably, the majority of them are Portuguese speakers and likely operating out of Brazil. The phishing infrastructure relies on intermediary domains with the .pt top-level domain (TLD), indicative of Portugal.”
“This malicious ad activity does not violate Google’s ad rules. Threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored.”
The disclosure comes as Development Micro revealed that attackers are utilizing platforms equivalent to YouTube and SoundCloud to distribute hyperlinks to faux installers for pirated variations of standard software program that in the end result in the deployment of varied malware households equivalent to Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer.
“Threat actors often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware and make detection and removal more difficult,” the corporate stated. “Many malicious downloads are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection.”
