Google Search ads are being hacked to steal account info

Image Credit: Shutterstock (Image credit: wk1003mike / Shutterstock)

Researchers spotted hackers creating phishing pages on Google Sites
The pages are then advertised on Google Ads
Victims are locked out of their accounts, which are either used or sold

Cybercriminals have found a way to abuse and impersonate Google, run malicious ads on the search engine’s ad network, and steal login credentials from people looking to promote their businesses.

The warning comes from cybersecurity researchers at Malwarebytes, which warned users to be careful even when clicking on ads coming from the Google itself.

The threat actors start by creating a fake Google Ads homepage on Google Sites, the company’s website builder that also provides users with a Google URL (something like https://sites.google.com/view/sitename) - then, they create a fake ad, communicating a promotion or a new deal, and place it on the Google Ads network.

Three threat actors

"Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around," explained Jérôme Segura, Senior Director of Research at Malwarebytes.

"Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since sites.google.com uses the same root domains ads ads.google.com. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC."

Victims who fall for the trick and click on the ad are redirected to a web page asking them to log in. Once they do, the phishing page collects their login credentials, unique identifiers, and cookies, and relays the data to the attackers, who then log in from a separate Google account.

The final step is to lock the victim out of their account and use it to fund additional campaigns, purchase other services, and more.

Malwarebytes believes at least three threat actors are currently deploying this tactic: a Brazilian group, an Asian-based attacker, and a group from somewhere in Eastern Europe.

Via BleepingComputer

Chinese hackers are switching to new malware for government attacks
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.