Ethical Hacking News
Malvertising, a type of online attack that utilizes malicious advertisements to spread malware and steal sensitive information, has taken on a new form in recent weeks. A new malvertising campaign has been identified that specifically targets individuals and businesses advertising via Google Ads, with the goal of stealing their credentials.
Malvertising campaigns have been identified that target individuals and businesses advertising via Google Ads.The schemes involve impersonating Google Ads and redirecting victims to fake login pages to steal credentials.The attacks use various techniques such as fingerprinting, anti-bot traffic detection, CAPTCHA-inspired lures, cloaking, and obfuscation to conceal phishing infrastructure.Google Ads users are advised to exercise caution when searching for their platform on Google's search engine and be wary of suspicious ads that redirect them to unfamiliar websites.The discovery highlights the importance of robust cybersecurity measures and staying informed about emerging threats.
Malvertising, a type of online attack that utilizes malicious advertisements to spread malware and steal sensitive information, has taken on a new form in recent weeks. According to cybersecurity researchers at Malwarebytes, a new malvertising campaign has been identified that specifically targets individuals and businesses advertising via Google Ads.
The scheme behind this malvertising campaign involves impersonating Google Ads and redirecting victims to fake login pages, with the ultimate goal of stealing their credentials. The threat actors believe that by gaining access to these accounts, they can reuse the stolen credentials to further perpetuate their campaigns, while also selling them to other criminal actors on underground forums.
The activity cluster associated with this campaign is strikingly similar to previous malvertising campaigns that leveraged stealer malware to steal data related to Facebook advertising and business accounts. However, this newly identified campaign takes a unique approach by targeting users who search for Google Ads on Google's own search engine, serving bogus ads for Google Ads that redirect users to fraudulent sites hosted on Google Sites.
These sites then serve as landing pages to lead visitors to external phishing sites designed to capture their credentials and two-factor authentication (2FA) codes via a WebSocket and exfiltrated to a remote server under the attacker's control. The fake ads for Google Ads come from a variety of individuals and businesses, including a regional airport, in various locations.
One ingenious aspect of this campaign is its ability to take advantage of the fact that Google Ads does not require the final URL – the web page that users reach when they click on the ad – to be the same as the display URL, as long as the domains match. This allows the threat actors to host their intermediate landing pages on sites.google[.]com while keeping the display URLs as ads.google[.]com.
The modus operandi of this campaign involves using techniques such as fingerprinting, anti-bot traffic detection, a CAPTCHA-inspired lure, cloaking, and obfuscation to conceal the phishing infrastructure. This makes it challenging for users to detect these malicious ads.
Once the threat actors have harvested the credentials, they are subsequently abused to sign in to the victim's Google Ads account, add a new administrator, and utilize their spending budgets for fake Google ads. In other words, the threat actors are taking over Google Ads accounts to push their own ads in order to add new victims to a growing pool of hacked accounts that are used to perpetuate the scam further.
There appears to be several individuals or groups behind these campaigns, with the majority being Portuguese speakers and likely operating out of Brazil. The phishing infrastructure relies on intermediary domains with the .pt top-level domain (TLD), indicative of Portugal.
It's worth noting that Google has yet to take definitive steps to freeze such accounts until their security is restored. This lack of action may be due in part to the fact that the malicious ad activity does not violate Google's ad rules, as threat actors are allowed to show fraudulent URLs in their ads, making them indistinguishable from legitimate sites.
The discovery of this new malvertising campaign serves as a reminder of the ever-evolving nature of cyber threats. As cybersecurity professionals and individuals continue to navigate the complex landscape of online advertising, it is essential to stay vigilant and take proactive measures to protect ourselves against such attacks.
In light of this threat, it's crucial for Google Ads users to exercise caution when searching for their advertising platform on Google's search engine. Users should also be wary of ads that redirect them to unfamiliar or suspicious websites, as these may be attempts by the threat actors to phish for their credentials.
Ultimately, this malvertising scam highlights the importance of robust cybersecurity measures and a commitment to staying informed about emerging threats. By working together, we can create a safer online environment for all users.
Related Information:
https://thehackernews.com/2025/01/google-ads-users-targeted-in.html
https://healsecurity.com/google-ads-users-targeted-in-malvertising-scam-stealing-credentials-and-2fa-codes/
Published: Wed Jan 15 11:41:21 2025 by llama3.2 3B Q4_K_M
