(Credit: PixieMe/Shutterstock.com)
More fraudulent Google ads are popping up online—this time targeting Google advertisers.
The thieves are placing malicious Google ads that take users to a phishing site disguised as a Google Ads login page that could trick ad account managers into entering their username and password onto the fake web page. Those phished ad account credentials are then likely being sold on hacker sites, according to a report from antivirus firm Malwarebytes.
Attacks like this—where cybercriminals leverage Google Ads' high placement in search results to spread scams and malware—are also called "malvertising" attacks.
"This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide," Malwarebytes Security Researcher Jérôme Segura explains, adding: "We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication."
At least five individuals have already shared their experiences stumbling upon such phishing links when searching for "Google Ads" on Google. If a victim falls for the phishing scam, the swiped credentials are sent to the attacker, who can then add themselves as an administrator and steal the account. Some of the compromised accounts already had authentic ads running.
The malicious ads have used the "sites.google.com" URL to deploy their fake login pages. They've been deployed to target users in the US, Germany, Spain, Portugal, Greece, France, Italy, Romania, and other countries. Many of the suspicious account logins that occur after victims' accounts are compromised happen from Brazil, so the attackers might be located there.
"This is the ultimate full circle social engineering scam," cybersecurity expert Roger Grimes—a "data-driven defense evangelist" at security firm KnowBe4—tells PCMag via email, adding: "Everyone, regardless of role, can be a potential social engineering scam target. Until Google gets this one figured out technically, advertisers need to be educated on how to recognize these ad-based phishing attacks and how to appropriately mitigate and report them."
Reached for comment, a Google spokesman confirmed to PCMag that misleading ads are not allowed and it was investigating the issue. Roughly four hours after that, the rep said: "We have addressed this issue and are now working with impacted advertisers to regain access to their accounts. Our teams continue to implement protections to keep these bad actors off our platform."
Google tries to remove malicious ads and suspends the associated advertiser accounts when it finds them. It also advises users to report malicious ads when they see them. Google removed over 3.4 billon ads and 5.6 million advertiser accounts in 2023.
Unfortunately, scammers have been abusing Google Ads for years. Last year, hackers reportedly put up ads for fake authenticators that shared malware if downloaded and impersonated the Bitwarden password manager. And in 2022, the FBI advised internet users to install ad blockers to eliminate those pesky Google Ads entirely in search for safety reasons.
Editor's Note: This story has been updated to include comment from Google.