Cybersecurity researchers have alerted to a brand new malvertising marketing campaign that is focusing on people and companies promoting by way of Google Advertisements by making an attempt to phish for his or her credentials by way of fraudulent adverts on Google.
“The scheme consists of stealing as many advertiser accounts as potential by impersonating Google Advertisements and redirecting victims to pretend login pages,” Jérôme Segura, senior director of risk intelligence at Malwarebytes, mentioned in a report shared with The Hacker Information.
It is suspected the top aim of the marketing campaign is to reuse the stolen credentials to additional perpetuate the campaigns, whereas additionally promoting them to different prison actors on underground boards. Primarily based on posts shared on Reddit, Bluesky, and Google’s personal help boards, the risk has been lively since not less than mid-November 2024.
The exercise cluster is rather a lot much like campaigns that leverage stealer malware to steal information associated to Fb promoting and enterprise accounts as a way to hijack them and use the accounts for push-out malvertising campaigns that additional propagate the malware.
The newly recognized marketing campaign particularly singles out customers who seek for Google Advertisements on Google’s personal search engine to serve bogus adverts for Google Advertisements that, when clicked, redirect customers to fraudulent websites hosted on Google Websites.
These websites then function touchdown pages to guide the guests to exterior phishing websites which might be designed to seize their credentials and two-factor authentication (2FA) codes by way of a WebSocket and exfiltrated to a distant server underneath the attacker’s management.
“The pretend adverts for Google Advertisements come from quite a lot of people and companies (together with a regional airport), in varied places,” Segura mentioned. “A few of these accounts already had a whole bunch of different reputable adverts operating.”
An ingenious facet of the marketing campaign is that it takes benefit of the truth that Google Advertisements doesn’t require the ultimate URL – the net web page that customers attain once they click on on the advert – to be the identical because the show URL, so long as the domains match.
This permits the risk actors to host their intermediate touchdown pages on websites.google[.]com whereas retaining the show URLs as adverts.google[.]com. What’s extra, the modus operandi entails using methods like fingerprinting, anti-bot site visitors detection, a CAPTCHA-inspired lure, cloaking, and obfuscation to hide the phishing infrastructure.
Malwarebytes mentioned the harvested credentials are subsequently abused to check in to the sufferer’s Google Advertisements account, add a brand new administrator, and make the most of their spending budgets for pretend Google adverts.
In different phrases, the risk actors are taking on Google Advertisements accounts to push their very own adverts as a way to add new victims to a rising pool of hacked accounts which might be used to perpetuate the rip-off additional.
“There seems to be a number of people or teams behind these campaigns,” Segura mentioned. “Notably, nearly all of them are Portuguese audio system and sure working out of Brazil. The phishing infrastructure depends on middleman domains with the .pt top-level area (TLD), indicative of Portugal.”
“This malicious advert exercise doesn’t violate Google’s advert guidelines. Risk actors are allowed to indicate fraudulent URLs of their adverts, making them indistinguishable from reputable websites. Google has but to indicate that it takes definitive steps to freeze such accounts till their safety is restored.”
The disclosure comes as Development Micro revealed that attackers are utilizing platforms akin to YouTube and SoundCloud to distribute hyperlinks to pretend installers for pirated variations of well-liked software program that finally result in the deployment of varied malware households akin to Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer.
“Risk actors typically use respected file internet hosting providers like Mediafire and Mega.nz to hide the origin of their malware and make detection and removing tougher,” the corporate mentioned. “Many malicious downloads are password-protected and encoded, which complicates evaluation in safety environments akin to sandboxes and permits malware to evade early detection.”
