Cybersecurity researchers have alerted to a brand new malvertising marketing campaign that is concentrating on people and companies promoting through Google Adverts by trying to phish for his or her credentials through fraudulent adverts on Google.
“The scheme consists of stealing as many advertiser accounts as attainable by impersonating Google Adverts and redirecting victims to faux login pages,” Jérôme Segura, senior director of menace intelligence at Malwarebytes, stated in a report shared with The Hacker Information.
It is suspected the top aim of the marketing campaign is to reuse the stolen credentials to additional perpetuate the campaigns, whereas additionally promoting them to different prison actors on underground boards. Primarily based on posts shared on Reddit, Bluesky, and Google’s personal help boards, the menace has been lively since at the very least mid-November 2024.
The exercise cluster is quite a bit just like campaigns that leverage stealer malware to steal information associated to Fb promoting and enterprise accounts in an effort to hijack them and use the accounts for push-out malvertising campaigns that additional propagate the malware.
The newly recognized marketing campaign particularly singles out customers who seek for Google Adverts on Google’s personal search engine to serve bogus adverts for Google Adverts that, when clicked, redirect customers to fraudulent websites hosted on Google Websites.
These websites then function touchdown pages to steer the guests to exterior phishing websites which can be designed to seize their credentials and two-factor authentication (2FA) codes through a WebSocket and exfiltrated to a distant server below the attacker’s management.
“The faux adverts for Google Adverts come from quite a lot of people and companies (together with a regional airport), in varied areas,” Segura stated. “A few of these accounts already had lots of of different official adverts operating.”
An ingenious side of the marketing campaign is that it takes benefit of the truth that Google Adverts doesn’t require the ultimate URL – the online web page that customers attain after they click on on the advert – to be the identical because the show URL, so long as the domains match.
This enables the menace actors to host their intermediate touchdown pages on websites.google[.]com whereas preserving the show URLs as adverts.google[.]com. What’s extra, the modus operandi entails the usage of strategies like fingerprinting, anti-bot site visitors detection, a CAPTCHA-inspired lure, cloaking, and obfuscation to hide the phishing infrastructure.
Malwarebytes stated the harvested credentials are subsequently abused to sign up to the sufferer’s Google Adverts account, add a brand new administrator, and make the most of their spending budgets for faux Google adverts.
In different phrases, the menace actors are taking on Google Adverts accounts to push their very own adverts in an effort to add new victims to a rising pool of hacked accounts which can be used to perpetuate the rip-off additional.
“There seems to be a number of people or teams behind these campaigns,” Segura stated. “Notably, nearly all of them are Portuguese audio system and sure working out of Brazil. The phishing infrastructure depends on middleman domains with the .pt top-level area (TLD), indicative of Portugal.”
“This malicious advert exercise doesn’t violate Google’s advert guidelines. Menace actors are allowed to point out fraudulent URLs of their adverts, making them indistinguishable from official websites. Google has but to point out that it takes definitive steps to freeze such accounts till their safety is restored.”
The disclosure comes as Pattern Micro revealed that attackers are utilizing platforms corresponding to YouTube and SoundCloud to distribute hyperlinks to faux installers for pirated variations of widespread software program that finally result in the deployment of varied malware households corresponding to Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer.
“Menace actors typically use respected file internet hosting companies like Mediafire and Mega.nz to hide the origin of their malware and make detection and elimination harder,” the corporate stated. “Many malicious downloads are password-protected and encoded, which complicates evaluation in safety environments corresponding to sandboxes and permits malware to evade early detection.”