Cybercriminals have launched a phishing campaign targeting Google Ads users by impersonating the platform they seek to exploit. Leveraging fraudulent advertisements, these bad actors are tricking advertisers into surrendering their account credentials, leading to widespread account compromise and financial losses.
This phishing operation targets individuals and businesses using Google Ads by mimicking the platform. Fraudulent ads — ironically for Google Ads — redirect victims to fake login pages designed to harvest credentials. The stolen accounts are resold on Blackhat forums or retained for further exploitation.
The attack’s scale is staggering. Thousands of accounts globally are likely affected, with new incidents surfacing even as others are reported and mitigated. A detailed analysis reveals the mechanics of the scheme:

- Fake ads for Google Ads: Cybercriminals launch deceptive ‘Sponsored’ results impersonating Google Ads. Victims are led to believe these are legitimate links to sign in or sign up for Google Ads services.
- Compromised advertiser accounts: These fraudulent ads often originate from hacked accounts of legitimate advertisers, some of whom had hundreds of active campaigns, amplifying the reach of malicious operations.
- Global reach: Simultaneous searches from different geolocations revealed identical fraudulent ads appearing across multiple countries, emphasising the campaign’s international scope.
Once victims click on these ads, they are redirected to pages hosted on Google Sites, mimicking the Google Ads homepage. This tactic circumvents Google’s domain-matching rule, which requires display and final URLs to share the same root domains.
The reliance on Google Sites enables attackers to evade detection while maintaining the appearance of legitimacy.
After landing on the counterfeit site, victims are lured into entering their credentials. Before transmitting this information to remote servers, a sophisticated phishing kit gathers vital user data, including unique identifiers, cookies, and geolocation details.
Victims’ accounts are then exploited, often adding new administrators and locking out the original owners.
Researchers identified three distinct groups that are orchestrating these campaigns:

- Brazilian Team: The most prolific group, operating primarily from Brazil, uses Portuguese-language comments in their phishing kits. Despite continuous takedowns, this group maintains an unrelenting presence.
- Asian Team: Likely based in China, this group employs a similar approach but uses different phishing kits and methods.
- Eastern European campaign: This group diverges by targeting victims with fake CAPTCHA lures and heavily obfuscated phishing pages. They also appear to distribute malware alongside phishing attempts.
Compromised accounts are a goldmine for cybercriminals. These accounts fund additional scams and malvertising campaigns — all while generating revenue for Google through ad spending. Victims bear the financial and reputational brunt, while Google’s response remains inadequate, as many compromised accounts continue operating despite repeated reports.
Researchers have urged advertisers to scrutinise URLs in sponsored results and enable two-factor authentication for their accounts. For Google, researchers urged it to enhance its detection and response systems to suspend compromised accounts and improve ad vetting processes.
“As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes,” researchers concluded.
In the News: Google OAuth flaw exposes millions to data breach risk