A new campaign is targeting unsuspecting Google Ads users by phishing for their credentials through Google Ads. Individuals are tricked into entering credentials into what appears to be their Google Ads login page, but is actually a site that mimics the login page being pushed through Google Ads. This unique use of malvertising to gain compromised credentials fuels the fire for broader malvertising campaigns and cybercriminal operations.
What Happens?
Once an unsuspecting victim clicks on the fraudulent Google Ads page, they are prompted to enter their Google account information. In addition to account credentials, the phishing kit collects unique information, including cookies and cached browser credentials. Once this is complete, the threat actor attempts to log into the user’s Google Ads account and lock the account holder out. An email indicating a mysterious login attempt is the sole means of identifying this nefarious activity.
What happens next is where things get interesting. Once the threat actor has control of the account, they have two options:
- Repurpose the account to conduct malvertising campaigns leading to phishing kits, remote access trojans (RATs), information stealers, and other tools to perpetuate cybercriminal activity.
- Expand their reach of Google Ads by using the compromised account to collect additional Google Ads accounts with the same technique, leading to an ever-growing reserve of compromised accounts.
Analyst Comments
The ongoing campaign targeting Google Ads credentials reflects the continued increase in malvertising observed by Arete. This also highlights the need for end users’ heightened scrutiny surrounding communications as threat actor phishing tactics evolve and mature. Arete advises caution in day-to-day operations and encourages end users to be cognizant of the various methods threat actors utilize to gain initial access into victim environments.
Sources
The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
Related Resources
![]()
AWS Falls Victim to Ransomware
Emerging ransomware Codefinger encrypts AWS S3 buckets via SSE-C, targeting cloud data for ransom. Learn about the impact and potential risks of this tactic.
Read more![]()
Malware Spotlight: RansomHub Ransomware
Arete has responded to dozens of incidents attributed to the RansomHub threat actor group. This spotlight explores RansomHub’s observed behavior, statistics from Incident Response engagements, and a technical analysis of RansomHub’s ransomware execut
Read more![]()
Over 390,000 Credentials Stolen via Malicious GitHub Repository
Year-long trojanized supply chain attack targets pros and thieves, stealing credentials and installing cryptominers.
Read more
