Scammers are hijacking Google Ads accounts from advertisers

Scammers are hijacking Google Ads accounts from advertisers

Criminal groups worldwide are conducting phishing attacks targeting advertisers.

Phishing attacks are a type of fraud where attackers attempt to steal users' personal data: logins, passwords, bank card numbers, and other sensitive information. They create fake websites, emails, or messages disguised as official sources—banks, popular services, or colleagues. Scammers demand urgent data entry, threatening account suspension or promising important information. When a user falls for the trick, their data ends up in the hands of the attackers.

The scheme is simple: fraudsters place fake ads in Google search results targeting advertisers searching for the Google Ads login page. After gaining access to accounts, criminals use victims' advertising budgets to place new phishing ads, thus monetizing the stolen funds.

In December, three major account operators of Google Search and Merchant Center—two agencies and one consultant—independently reported to AdExchanger about breaches in their systems.

Senior Director of Research at Malwarebytes, Jérôme Segura, published a detailed report on these fraudulent schemes. He estimates that thousands of Google Ads account owners have been victimized.

Trojan Portal

Main takeaways from the Malwarebytes report:

  • The article describes a large-scale phishing campaign targeting Google Ads users.
  • Criminals create fake ads that redirect victims to fraudulent login pages.
  • These pages mimic the Google Ads interface and steal victims' credentials.
  • Stolen accounts are sold on black markets or used for new fraudulent operations.
  • The main groups of perpetrators operate from Brazil, China, and Eastern Europe.
  • The campaign affects both companies and individual advertisers worldwide.
  • Compromised accounts are used to spread malware and run fraudulent ad campaigns.
  • Despite numerous complaints, Google has not taken sufficient measures to address the problem.

How does it work?

The hacking scheme is surprisingly simple: scammers create fake ads targeting search queries related to Google Ads login or setup.

Many users, instead of navigating directly to the site, type queries like “Facebook,” “ESPN fantasy,” or “Google Ads” into the browser and click the top search result.

This method of accessing accounts via search results carries significant risks.

The fraud mechanism works as follows: when an ad agency employee searches for the Google Ads login page via Google Search, they see an ad displaying the correct link, ads.google.com. However, the ad redirects to a fake login page where the user enters their credentials.

Even two-factor authentication doesn’t always protect users. One victimized advertiser told AdExchanger that they received a routine authentication request. The only unusual signal was a login attempt from Brazil, whereas the system usually identifies the location accurately. The advertiser assumed it was a Wi-Fi or corporate VPN glitch.

Ultimately, they approved the login, unaware of the danger.

Once the account was compromised, the attackers acted swiftly: they appointed themselves as administrators and launched new ad campaigns that “skillfully mimicked our own.”

Dark Market in the Darknet

Main takeaways from the Malwarebytes report:

  • The article describes a large-scale phishing campaign targeting Google Ads users.
  • Criminals create fake ads that redirect victims to fraudulent login pages.
  • These pages mimic the Google Ads interface and steal victims' credentials.
  • Stolen accounts are sold on black markets or used for new fraudulent operations.
  • The main groups of perpetrators operate from Brazil, China, and Eastern Europe.
  • The campaign affects both companies and individual advertisers worldwide.
  • Compromised accounts are used to spread malware and run fraudulent ad campaigns.
  • Despite numerous complaints, Google has not taken sufficient measures to address the problem.

How does it work?

The hacking scheme is surprisingly simple: scammers create fake ads targeting search queries related to Google Ads login or setup.

Many users, instead of navigating directly to the site, type queries like “Facebook,” “ESPN fantasy,” or “Google Ads” into the browser and click the top search result.

This method of accessing accounts via search results carries significant risks.

The fraud mechanism works as follows: when an ad agency employee searches for the Google Ads login page via Google Search, they see an ad displaying the correct link, ads.google.com. However, the ad redirects to a fake login page where the user enters their credentials.

Even two-factor authentication doesn’t always protect users. One victimized advertiser told AdExchanger that they received a routine authentication request. The only unusual signal was a login attempt from Brazil, whereas the system usually identifies the location accurately. The advertiser assumed it was a Wi-Fi or corporate VPN glitch.

Ultimately, they approved the login, unaware of the danger.

Once the account was compromised, the attackers acted swiftly: they appointed themselves as administrators and launched new ad campaigns that “skillfully mimicked our own.”

Dark Market in the Darknet

There are “black markets” for data on the internet — illegal online platforms where stolen information such as logins, passwords, credit card numbers, personal, and medical data is sold. These platforms operate in the darknet and use Tor to conceal their activities.

Using stolen budgets, scammers placed Google ads that distributed malware. According to one source, funds were also spent on pay-per-click ads, likely on websites controlled by the scammers. The exact details are impossible to determine, as the attackers erased all records of the campaigns conducted.

Sources noted the attackers’ high proficiency in using Google Ads.

“Everything happened very quickly,” said one source who observed the campaign setups after the hack. “But the actions clearly demonstrated human intelligence, not an automated program.”

All three sources interviewed by AdExchanger fell victim to hackers, presumably operating out of Brazil. According to Malwarebytes’ Segura, two additional groups are active: one likely based in Asia (China or Hong Kong), and the other presumably from Eastern Europe.

Brazilian hackers have frequently made headlines for large-scale ad fraud. Read the article: “HUMAN discovered a pirate network with 2.5 billion daily ad requests”.

How to stop it?

According to two AdExchanger sources, malicious ads continue to spread through Google Search’s sponsored links this week.

“We strictly prohibit ads that aim to deceive people into stealing their information or committing fraud,” Google stated. “Our teams are actively investigating this issue and working quickly to resolve it.”

However, the word “prohibit” seems misplaced — this prohibited activity continues unchecked. Scammers manage to collect dozens of complaints about their phishing campaigns before their accounts are blocked.

Segura reports that his team identified more than 50 cases of fraud involving the same ad account over several days in December. Addressing the situation felt like a never-ending game of “whack-a-mole.”

A game of whack-a-mole

“We quickly realized that no matter how many complaints were filed and processed, the attackers still managed to keep at least one malicious ad active around the clock,” he writes.

According to AdExchanger sources, the breaches were detected by their own monitoring systems, not Google Ads’ security measures. Moreover, they had to file repeated complaints about the same compromised accounts and fraudulent campaigns.

What about the money?

When scammers hack advertising agencies’ accounts or drain their budgets, a natural question arises: who will compensate for the stolen funds?

This issue becomes the subject of complex negotiations between Google, the agency, and the advertiser.

On one hand, the victims made a human error. On the other, the scammers demonstrated expert knowledge of Google Ads and masterfully exploited the search engine for their schemes.

The advertising dragon and treasures

According to three AdExchanger sources, their companies immediately offered to reimburse clients’ expenses. They are in talks with Google, and the company is willing to cover costs — provided that evidence of the hack is supplied and a commitment to adhere to specific security standards in the future is made.

The situation is complicated by the fact that fighting fraud in Google Ads seems nearly impossible.

Scammers are not just stealing money from ad accounts. Their main goal is to use the stolen budgets to distribute malware through fraudulent links in Google Search. Once installed on a victim’s device, such programs can be used to create a botnet — a network of infected computers.

According to Segura, selling Google Ads account credentials is a lucrative business on the black market. “We believe their goal is to resell these accounts on hacker forums, leaving some for ongoing fraudulent campaigns.”

The best prevention for advertisers is to stop using Google Search as the entry point to the portal.

Specialists who fell victim to this ploy and shared their stories with AdExchanger admitted that they regularly used sponsored links on Google’s search page.

Why?

“Because I don’t like Google. Every time, I made Google pay a little bit for me logging into Google Ads,” they said.

Also read about ad security:

Fools’ legacy