- \n
- Overview<\/a><\/li>\n
- Criminals impersonate Google Ads<\/a><\/li>\n
- Lures hosted on Google Sites<\/a><\/li>\n
- Phishing for Google account credentials<\/a><\/li>\n
- Victimology<\/a><\/li>\n
- Who is behind these campaigns?<\/a><\/li>\n
- Fuel for other malware and scam campaigns<\/a><\/li>\n
- Indicators of Compromise<\/a><\/li>\n<\/ul>\n
Overview<\/h2>\n
Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials \u2014 ironically \u2014 via fraudulent Google ads.<\/p>\n
The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.<\/p>\n
This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.<\/p>\n
The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_290a44.png\")
<\/a>Figure 1: Process flow for this Google Ads heist campaign<\/em><\/figcaption><\/figure>\n Back to top<\/a><\/em><\/p>\n
Criminals impersonate Google Ads<\/h2>\n
Advertisers are constantly trying to outbid each other to reach potential customers by buying ad space on the world’s number one search engine. This earned Google a whopping $175 billion in search-based ad revenues in 2023<\/a>. Suffice to say, the budgets spent in advertising can be considerable and of interest to crooks for a number of reasons.<\/p>\n
We first started noticing suspicious activity related to Google accounts somewhat accidentally, and after a deeper look we were able to trace it back to malicious ads for… Google Ads itself! Very quickly we were overwhelmed by the onslaught of fraudulent “Sponsored” results, specifically designed to impersonate Google Ads, as can be seen in Figure 2<\/em>:<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_b6573b.png\")
<\/a>Figure 2: A malicious ad masquerading as Google Ads<\/em><\/figcaption><\/figure>\n While it is hard to believe such a thing could actually happen, the proof is there when you click on the 3-dot menu that shows more information about the advertiser. We have partially masked the victim’s name, but clearly it is not Google; they are just one of the many accounts that have already been compromised and abused to trick more users:<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_faf82f.png?w=1024\")
<\/a>Figure 3: The advertiser behind this ad is not affiliated with Google at all<\/em><\/figcaption><\/figure>\n People who will see those ads are individuals or businesses that want to advertise on Google Search or already do. Indeed, we saw numerous ads specifically for each scenario, sign up or sign in, as seen in Figure 4<\/em>:<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_2e86de.png\")
<\/a>Figure 4: Two ads for signing up and sign in to Google Ads respectively<\/em><\/figcaption><\/figure>\n The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_6a5b44.png?w=1024\")
<\/a>Figure 5: Victim accounts spending their own budgets on fake Google Ads<\/em><\/figcaption><\/figure>\n To get an idea of the geographic scope of these campaigns, we performed the same Google search simultaneously from several different geolocations (using proxies). First, here’s the malicious ad from a U.S. IP address belonging to a business registered in Paraguay:<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_c9ada3.png\")
<\/a>Figure 6: U.S.-based search showing fake Google ad<\/em><\/figcaption><\/figure>\n Now, here’s that same ad that appears on Google Search in several other countries:<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_6bd40b.png\")
<\/a>Figure 7: The same ad found in different countries<\/em><\/figcaption><\/figure>\n Back to top<\/a><\/em><\/p>\n
Lures hosted on Google Sites<\/h2>\n
Once victims click on those fraudulent ads, they are redirected to a page that looks like Google Ads’ home page<\/a>, but oddly enough, it us hosted on Google Sites<\/a>. These pages act as a sort of gateway to external websites specifically designed to steal the usernames and passwords from the coveted advertisers’ Google accounts.<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_cb6099.png\")
<\/a>Figure 8: A malicious Google Sites page impersonating Google Ads<\/em><\/figcaption><\/figure>\n There’s a good reason to use Google Sites, not only because it’s a free and a disposable commodity but also because it allows for complete impersonation. Indeed, you cannot show a URL in an ad unless your landing page (final URL<\/a>) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around.<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_a11de7.png\")
<\/a>Figure 9: The rule that stipulates display URLs and final URLs must have matching domains<\/em><\/figcaption><\/figure>\n Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since sites.google.com<\/strong><\/em> uses the same root domains ads ads.google.com<\/strong><\/em>. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC..<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_aecc0e.png\")
<\/a>Figure 10: The malicious ad does not violate Google’s rule on the use of the display URL<\/em><\/figcaption><\/figure>\n Back to top<\/a><\/em><\/p>\n
Phishing for Google account credentials<\/h2>\n
After the victims click on the “Start now” button found on the Google Sites page, they are redirected to a different site which contains a phishing kit. JavaScript code fingerprints users while they go through each step to ensure all important data is being surreptitiously collected.<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_baa2d6.png\")
<\/a>Figure 12: The actual phishing page that follows<\/em><\/figcaption><\/figure>\n Finally, all the data is combined with the username and password and sent to the remote server via a POST request. We see that criminals even receive the victim’s geolocation, down to the city and internet service provider.<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_ea8b00.png?w=634\")
<\/a>Figure 12: POST web request with victim’s details<\/em><\/figcaption><\/figure>\n Back to top<\/a><\/em><\/p>\n
Victimology<\/h2>\n
There are multiple online reports of people who saw the fake Google Ads and shared their experiences:<\/p>\n
- \n
- Help with removing a dangerous scam in Google Ads<\/a> (Google Ads Help forum<\/em>)<\/li>\n
- Google Ads Phishing Scam <\/a>(Reddit<\/em>)<\/li>\n
- It’s just me or Google just sponsored a link to a phising site for Google ads?<\/a> (Reddit<\/em>)<\/li>\n
- Be aware of fake google page, clicked by accident<\/a> (Reddit<\/em>)<\/li>\n
- Warning! First sponsorized google answer for “Google ads” is a phishing attempt !<\/a> (BlueSky<\/em>)<\/li>\n<\/ul>\n
We were able to get in touch with a couple of victims who not only saw the ads but were actually scammed and lost money. Thanks to their testimony and our own research, we have a better idea of the criminals’ modus operandi:<\/p>\n
- \n
- Victim enters their Google account information into phishing page<\/li>\n
- Phishing kit collects unique identifier, cookies, credentials<\/li>\n
- Victim may receive an email indicating a login from an unusual location (Brazil)<\/li>\n
- If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address<\/li>\n
- Threat actor goes on a spending spree, locks out victim if they can<\/li>\n<\/ul>\n
Back to top<\/a><\/em><\/p>\n
Who is behind these campaigns?<\/h2>\n
We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese<\/a> speakers likely operating out of Brazil. Victims have also shared that they had received a notification from Google indicating suspicious logins from Brazil. Unfortunately, those notifications often came too late or where dismissed as legitimate, and the criminals already had time to do some damage.<\/p>\n
We should also note a third campaign that is very different from the other two, and where the threat actors’ main goal is to distribute malware. The Google Ads phishing scheme may have been a temporary run which was not their main focus.<\/p>\n
Brazilian team<\/h3>\n
In the span of a few days, we reported over 50 fraudulent ads to the Google Ad team all coming from this Brazilian group. We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24\/7.<\/p>\n
Figure 13<\/em> shows the network traffic resulting from a click on the ad. You will see multiple hops before finally arriving to the phishing portal. The second URL shows the crooks are using a paid service to detect fake traffic.<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_ddb2cc.png\")
<\/a>Figure 13: Network traffic from the ‘Brazilian campaign’<\/figcaption><\/figure>\n Within the JavaScript code part of the phishing kit, there are comments in Portuguese. Figure 14<\/em> shows a portion of the code that does browser fingerprinting, which is a way of identifying users. Browser language, system CPU, memory, screen-width, and time zone are some of the data points collected and then hashed.<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_a3017d.png\")
<\/a>Figure 14: Identifying users via various settings<\/figcaption><\/figure>\n Asian team<\/h3>\n
The second group is using advertiser accounts from Hong Kong and appears to be Asia-based, perhaps from China. Interestingly, they also use the same kind of delivery chain by leveraging Google sites. However, their phishing kit is entirely different from their Brazilian counterparts.<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_807f00.png\")
<\/a>Figure 15: Web traffic for the ‘Chinese campaign’<\/figcaption><\/figure>\n Figure 16<\/em> below shows a code extract with comments in Chinese, as well as a function called xianshi<\/em>, which could be in reference to a Chinese general<\/a> of the late Qing dynasty or even a superhero from more modern gaming and literature<\/a>.<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_87ee9b.png\")
<\/a>Figure 16: Code with comments in Chinese<\/figcaption><\/figure>\n Third campaign (possibly Eastern European)<\/h3>\n
We observed another campaign which has a very different modus operandi. Google Sites is not involved at all, and instead they rely on a fake CAPTCHA lure and heavy obfuscation of the phishing page.<\/p>\n
Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo[.]click domain name. However, for about day or so, the redirect from that domain lead directly to a phishing portal hosted at ads-overview[.]com<\/em>.<\/p>\n
The reason why we suggest the threat actors may be Eastern Europeans here is because of the type of redirects and obfuscation. There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see Threat actor impersonates Google via fake ad for Authenticator<\/a><\/em>).<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_ebf79e.png\")
<\/a>Figure 17: A malicious ad for Google Authenticator and fake CAPTCHA<\/figcaption><\/figure>\n A PHP script (cloch.php<\/em>) then determines if the visitor is genuine or not (likely doing a server-side IP check). VPNs, bot and detection tools will get a “white” page showing some bogus instructions on how to run a Google Ads campaign. Victims are instead redirected to ads-overview[.]com<\/em> which is a phishing portal for Google accounts.<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_06fde4.png\")
<\/a>Figure 18: Cloaking in action with a ‘white’ page or the phishing page<\/figcaption><\/figure>\n When we checked back on this campaign a few days later, we saw that the ad URL now redirected to a fake Google Authenticator site, likely to download malware. The redirection mechanism is shown in Figure <\/em>20:<\/p>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_7d0edc.png\")
<\/a>Figure 19: Web traffic for fake Google Authenticator site<\/figcaption><\/figure>\n Back to top<\/a><\/em><\/p>\n
Fuel for other malware and scam campaigns<\/h2>\n
Stolen Google Ads accounts are a valuable commodity among thieves. As we have detailed it many times on this blog, there are constant malvertising campaigns leveraging compromised advertiser accounts to buy ads that push scams or deliver malware.<\/p>\n
- \n
- Printer problems? Beware the bogus help<\/a><\/li>\n
- Malicious ad distributes SocGholish malware to Kaiser Permanente employees<\/a><\/li>\n
- Hello again, FakeBat: popular loader returns after months-long hiatus<\/a><\/li>\n
- Large scale Google Ads campaign targets utility software<\/a><\/li>\n<\/ul>\n
If you think about it for a second, crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns. The losers are the hacked advertisers and innocent victims that are getting phished.<\/p>\n
As result, taking action on compromised ad accounts plays a key part in driving down malvertising attacks. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored, despite their own policy<\/a> on the subject (Figure 20<\/em>). For example, we recently saw a case where the same advertiser that had already been reported 30 times<\/a>, was still active.<\/p>\n
![\"Figure](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_faae66.png\")
<\/a>Figure 20: Google’s policy regarding violations<\/em><\/figcaption><\/figure>\n As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes.<\/p>\n
We don\u2019t just report on threats\u2014we block them<\/strong><\/p>\n
Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today<\/a>.<\/em><\/p>\n
Back to top<\/a><\/em><\/p>\n
Indicators of Compromise<\/h2>\n
Fake Google Sites pages<\/p>\n
sites[.]google[.]com\/view\/ads-goo-vgsgoldx
sites[.]google[.]com\/view\/ads-word-cmdw
sites[.]google[.]com\/view\/ads-word-makt
sites[.]google[.]com\/view\/ads-word-whishw
sites[.]google[.]com\/view\/ads-word-wwesw
sites[.]google[.]com\/view\/ads-word-xvgt
sites[.]google[.]com\/view\/ads3dfod6hbadvhj678
sites[.]google[.]com\/view\/aluado01
sites[.]google[.]com\/view\/ap-rei-pandas
sites[.]google[.]com\/view\/appsd-adsd
sites[.]google[.]com\/view\/asd-app-goo
sites[.]google[.]com\/view\/connectsing\/addss
sites[.]google[.]com\/view\/connectsingyn\/ads
sites[.]google[.]com\/view\/entteraccess
sites[.]google[.]com\/view\/exercitododeusvivo
sites[.]google[.]com\/view\/fjads
sites[.]google[.]com\/view\/goitkm\/google-ads
sites[.]google[.]com\/view\/hdgstt
sites[.]google[.]com\/view\/helpp2k
sites[.]google[.]com\/view\/hereon\/1sku4yf
sites[.]google[.]com\/view\/hgvfvd
sites[.]google[.]com\/view\/joaope-defeijao
sites[.]google[.]com\/view\/jthsjd
sites[.]google[.]com\/view\/logincosturms\/ads
sites[.]google[.]com\/view\/logins-words-officails
sites[.]google[.]com\/view\/logins-words-officsdp
sites[.]google[.]com\/view\/marchatrasdemarcha
sites[.]google[.]com\/view\/newmanage\/page
sites[.]google[.]com\/view\/one-vegas
sites[.]google[.]com\/view\/one-vegasw
sites[.]google[.]com\/view\/onvg-ads-word
sites[.]google[.]com\/view\/oversmart\/new
sites[.]google[.]com\/view\/pandareidel
sites[.]google[.]com\/view\/polajdasod6hbad
sites[.]google[.]com\/view\/ppo-ads
sites[.]google[.]com\/view\/quadrilhadohomemtanacasakaraio
sites[.]google[.]com\/view\/ricobemnovinhos
sites[.]google[.]com\/view\/s-ad-offica
sites[.]google[.]com\/view\/s-wppa
sites[.]google[.]com\/view\/sdawjj
sites[.]google[.]com\/view\/semcao
sites[.]google[.]com\/view\/sites-gb
sites[.]google[.]com\/view\/so-ad-reisd
sites[.]google[.]com\/view\/spiupiupp-go
sites[.]google[.]com\/view\/start-smarts
sites[.]google[.]com\/view\/start-smarts\/homepage\/
sites[.]google[.]com\/view\/umcincosetequebratudo
sites[.]google[.]com\/view\/vewsconnect
sites[.]google[.]com\/view\/vinteequatroporquarenta
sites[.]google[.]com\/view\/xvs-wods-ace
sites[.]google[.]com\/view\/zeroumnaoezerodois
sites[.]google[.]com\/view\/zeroumonlinecomosmp<\/pre>\nPhishing domains<\/p>\n
account-costumers[.]site
account-worda-ads[.]benephica[.]com
account-worda-ads[.]cacaobliss[.]pt
account[.]universitas-studio[.]es
accounts-ads[.]site
accounts[.]google[.]lt1l[.]com
accounts[.]goosggles[.]com
accounts[.]lichseagame[.]com
accousnt-ads[.]tmcampos[.]pt
accousnt[.]benephica[.]pt
accousnt[.]hyluxcase[.]me
ads-goo[.]click
ads-goog[.]link
ads-google[.]io-es[.]com
ads-overview[.]com
ads1.google.lt1l.com
ads1[.]google[.]veef8f[.]com
adsettings[.]site
adsg00gle-v3[.]vercel[.]app
adsgsetups[.]shop
advertsing-acess[.]site
advertsing-v3[.]site
as[.]vn-login[.]shop
benephica[.]pt
cacaobliss[.]pt
colegiopergaminho[.]pt
docs-pr[.]top
tmcampos[.]pt
vietnamworks[.]vn-login[.]shop<\/pre>\n - Malicious ad distributes SocGholish malware to Kaiser Permanente employees<\/a><\/li>\n
- Printer problems? Beware the bogus help<\/a><\/li>\n
- Google Ads Phishing Scam <\/a>(Reddit<\/em>)<\/li>\n
- Criminals impersonate Google Ads<\/a><\/li>\n