Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Several different criminal rings around the world organize surgical phishing scams that target buyers of advertising media.
Specifically, fraudsters scam ad buyers who sign up for Google Ads after running a Google search. Fraudsters provide these ad managers with fraudulent sponsored search links and then hack into their accounts and use their funds to display even more phishing ads and run fraudulent click-based ad campaigns, diverting some of the funds back to themselves.
Three major Google Search and Merchant Center account operators — two agency buyers and a consultant — separately told AdExchange that their systems were infiltrated in December.
Jerome Segura, Senior Director of Research at Malwarebytes, published report documenting the same fraudulent operations on Wednesday. It estimates that thousands of Google Ads account owners have been affected by the scam.
How it works
Google Ads accounts are hacked in a bold way. From scammers who place their own search ads on queries related to setting up or signing in to Google Ads.
Sometimes people type things like “Facebook”, “ESPN fantasy” or “Google Ads” into their browser’s URL instead of going directly to a specific website or login page. They then click on the search result at the top of the page.
When you use this approach and query “Google Ads” to log into your account, a quick click on the URL can turn out to be a big mistake. A mistake many ad buying managers have recently discovered to their dismay.
In short, someone at an agency or ad buying company uses Google search results as a way to sign up for Google Ads. Except they click on a sponsored link that is identical to a typical Google Ads promoted link in search results, with a matching URL that still reads ads.google.com. This link redirects to a phishing page that pretends to be a Google Ads login page. The person enters their email and password.
A potential tripwire is two-factor authentication. One advertiser personally challenged this phishing scam, telling AdExchanger that he received a familiar login verification request, but that the request said it was a login originating from Brazil, whereas it usually pins exactly where it should be. The person said they may be putting it down to something weird with the WiFi they are using or the company’s VPN.
Regardless, they approved the login request, believing it was them logging in.
After taking over the account, the criminals immediately joined as an admin and started creating new campaigns that were “effectively disguised as our own campaigns,” they said.
These new campaigns paid for more Google Search ads that spread the malware. One source said the budgets were also spent on other click-based ads, possibly on a site run by fraudsters, as a way to make money for the operation. It’s hard to tell, he said, because fraudsters have wiped data on those campaigns.
The hackers were also very experienced in the Google Ads system, the sources said. After gaining administrative access to one agency’s trading and search center, which it runs for many brand accounts, the hackers targeted the accounts with the biggest wallets available and where their campaigns could be best disguised.
“It was very fast,” said one of the sources who followed the campaign setup after the account was taken over, “but it also showed human consideration, not just software.” (“Programmatic” in the sense that it’s fully automated, not with a person in control.)
All three sources AdExchanger spoke to were targeted by hackers who appeared to be operating out of Brazil. Segura of Malwarebytes documents another ring likely in Asia – China or Hong Kong – and a third he estimates is based in Eastern Europe, though it’s not clear.
did it stop
Even this week, there are new reports of the same ads with the same malicious code spreading through sponsored links on Google Search, two sources told AdExchanger.
Google only issued this statement on the matter: “We expressly prohibit ads that are designed to deceive people in order to steal their information or defraud them. Our teams are actively investigating this issue and working quickly to resolve it.”
However, “ban” is a loose term. Things that are forbidden happen all the time. Some of the advertisers running these campaigns endured dozens of reports that they were phishing scams before being suspended.
Segura writes that his team reported more than 50 incidents involving the same ad account running the scam over a few days in December, but was unable to win the whack-a-mole game. “We quickly realized that regardless of the number of reported incidents and takedowns, threat actors managed to maintain at least one malicious ad 24/7,” he writes.
AdExchanger’s sources also said that it was their own system that identified their account hacks and not Google Ads that noticed the problem. And that they sometimes had to repeatedly report the same account or malicious ad campaign.
What about money?
Whenever ad buying agencies and consultants have their accounts hacked or their budgets emptied by fraudsters, uncomfortable questions arise: Who is on the hook for the lost money?
And this is a particularly unpleasant discussion between Google, the agent and the advertiser.
After all, it was largely human error on the part of the agencies, consultants and direct advertisers targeted by this scam. But, the fraudsters happened to be Google Ads fans based on their keen experience with the system and used Google Search as a fraud tool.
Three sources who spoke to AdExchanger said their businesses immediately offered refunds to clients. They also link to Google. Each affected party said Google is offering compensation once the company submits information documenting the hack and commits to certain account security standards.
Another annoying factor about this hack is that it may not be a Google Ads scam point.
After all, fraudsters do not empty account wallets into their own pockets. The hacks seem to primarily spread the malware further by paying for more fraudulent links on Google Search. The malware will prompt you to download it to your device. Thus, there is concern that the affected devices could be re-eavesdropped for other purposes as part of a malware network.
Selling Google Ads account credentials is also a lucrative business on the black market, according to to Segura. “We believe their goal is to sell these accounts on black hat forums while keeping some for themselves to sustain these campaigns.”
The best prevention that advertisers can take is to… stop using Google Search as the entry point to the login portal.
The executive who told AdExchange that they fell for the trick said they always clicked on the sponsored link at the top of the Google Search page.
Why?
“Every time I took out a little frustration on Google,” they said. “By paying a little bit for each login.”