Multiple different criminal rings around the world are orchestrating surgical phishing scams that target ad industry media buyers.
Specifically, fraudsters are duping ad buyers who log into Google Ads after running a Google search. The scammers serve fraudulent sponsored search links to these ad executives, and then hack into their accounts and use their funds to serve even more phishing ads and to run fraudulent click-based ad campaigns, thus funneling some of the funds back to themselves.
Three major Google Search and Merchant Center account operators – two agency buyers and a consultant – separately told AdExchanger that their systems had been infiltrated in December.
Jerome Segura, senior director of research at Malwarebytes, published a report documenting the same scam operations on Wednesday. He estimates that thousands of Google Ads account owners have been hit by the scam.
How it works
The Google Ads accounts are being hacked in an audacious way. By scammers who are placing their own search ads for queries related to setting up or logging into Google Ads.
Sometimes, rather than going directly to a particular website or login page, people will just write, perhaps, “Facebook,” “ESPN fantasy,” or “Google Ads” in their browser URL. Then they click on the search result at the top of the page.
When you use this approach, querying “Google Ads” to log into your account, a quick click on the URL can turn out to be a huge mistake. A mistake which many ad-buying executives have recently discovered to their dismay.
In short, someone at an agency or ad-buying firm uses Google search results as the on-ramp to their Google Ads login. Except they click on the sponsored link that’s identical to a typical promoted link for Google Ads in the search results, with a matching URL that still reads ads.google.com. That link redirects to a phishing page posing as the Google Ads login page. The person inputs their email and password.
The potential tripwire is two-factor authentication. One advertiser who personally fell for this phishing scam told AdExchanger that they received the familiar authentication request upon signing in, but that the request said it was a login coming from Brazil, whereas usually it pins exactly on their location. The person said they attributed it perhaps to something weird with the Wi-Fi they were using or the company’s VPN.
Regardless, they approved the sign-in request, believing they were the one signing in.
After the account takeover, the criminals immediately added themselves as an admin and began creating new campaigns that were “effectively camouflaged as our own campaigns,” they said.
These new campaigns paid for more of the Google Search ads that spread the malware to begin with. One source said budgets were also spent on other click-based ads, likely on a site operated by the scammers, as a way to earn money on the operation. It’s hard to tell, he said, because the scammers wiped the data on those campaigns.
The hackers were also very experienced in the Google Ads system, sources said. After getting admin access to one agency’s merchant and search center, which they operate for many brand accounts, the hackers targeted accounts with the largest wallets available and where their campaigns might be best disguised.
“It was very quick,” said one source who observed the setup of campaigns after the account takeover, “but also showed human thoughtfulness, not just programmatic software.” (“Programmatic” in the sense of being fully automated, not with a person in control.)
All three sources AdExchanger spoke to were targeted by hackers seemingly operating out of Brazil. Segura of Malwarebytes documents another ring likely in Asia – China or Hong Kong – and a third he guesses is based in Eastern Europe, though it’s unclear.
Has it stopped?
Even this week, there are new reports of the same ads with the same malicious code being spread via Google Search sponsored links, two sources told AdExchanger.
Google has released this statement on the matter: “We expressly prohibit ads that aim to deceive people in order to steal their information or scam them. Our teams are actively investigating this issue and working quickly to address it.”
However, “prohibit” is a loose term. Things that are prohibited happen all the time. Some of the advertisers operating these campaigns weathered dozens of reports of them being phishing scams before they were suspended.
Segura writes that his team reported more than 50 incidents involving the same ad account conducting this fraud over the course of a few days in December, but were unable to win the game of Whac-A-Mole. “We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7,” he writes.
AdExchanger’s sources also said it was their own system that identified their account hacks, not Google Ads spotting the problem. And that they had to sometimes report the same account or malicious ad campaign repeatedly.
What about the money?
Whenever agencies and ad-buying consultants have some accounts hacked or budgets emptied by fraudsters, there are awkward questions: Who is on the hook for the lost money?
And this is a particularly uncomfortable discussion between Google, agent and advertiser.
After all, it very much was human error on the part of the agencies, consultants and direct advertisers who were targeted by this scam. But the fraudsters did happen to be Google Ads aficionados, based on their keen expertise with the system, and were using Google Search as their vehicle for fraud.
The three sources who spoke to AdExchanger said their businesses immediately offered reimbursements to clients. They are also following up with Google. Each affected party said Google is offering reimbursements once the company sends information documenting the hack and commits to certain account security standards moving forward.
Another awkward factor in this hack is that the Google Ads scam may not be the point.
The scammers, after all, don’t empty account wallets into their own pockets. What the hacks seem to do primarily is spread malware further by paying for more fraudulent Google Search links. The malware prompts a download to the device. So there is a concern that the affected devices might be tapped again for other purposes as part of a malware network.
Selling Google Ads account credentials is also a lucrative black market dealing, according to Segura. “We believe their goal is to resell those accounts on black hat forums, while also keeping some to themselves to perpetuate these campaigns.”
The best prevention advertisers can take is to … stop using Google Search as an entry point to the login portal.
The exec who told AdExchanger they had fallen for the trick said they’d always clicked the sponsored link atop the Google Search page.
Why?
“I vented a little frustration with Google each time,” they said. “By making them pay a bit for every time I logged on.”