{"id":25729,"date":"2025-01-30T08:10:08","date_gmt":"2025-01-30T16:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2025\/01\/30\/news-19452\/"},"modified":"2025-01-30T08:10:08","modified_gmt":"2025-01-30T16:10:08","slug":"news-19452","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2025\/01\/30\/news-19452\/","title":{"rendered":"Microsoft advertisers phished via malicious Google ads"},"content":{"rendered":"\n

Just days after we uncovered a campaign<\/a> targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft advertisers. These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform.<\/p>\n

Microsoft does purchase ad space on its rival’s dominant search engine; however, we found Google sponsored results for “Microsoft Ads” (formerly known as Bing Ads) that contained malicious links created by impostors.<\/p>\n

Through shared artifacts, we were able to identify additional phishing infrastructure targeting Microsoft accounts going back to a couple of years at least. We have reported these incidents to Google.<\/p>\n

Fake Microsoft Ads caught on Google Search<\/h2>\n

Microsoft made an estimated $12.2 billion<\/a> in search and news advertising revenues (including Bing) in 2023, which pales in comparison to its rival, Google, holding a much larger share of the search engine market.<\/p>\n

Since the advertising ecosystem allows for an open competition between brands, Microsoft is trying to get traffic and earn clicks from Google searches. During our investigation, we saw sponsored results for Microsoft Ads and Bing Ads that managed to slip through Google’s security checks:<\/p>\n

\"Figure<\/a>
Figure 1: A Google search for ‘microsoft ads’<\/figcaption><\/figure>\n

Redirection, cloaking and Cloudflare<\/h2>\n

The threat actors are using different techniques to evade detection and drop traffic from bots, security scanners and crawlers. Unwanted IP addresses (e.g.<\/em> VPNs) are immediately redirected to a bogus marketing website (Figure 2<\/em>). This is also known as a “white page”, meaning it looks innocent and hides its maliciousness.<\/p>\n

\"Figure<\/a>
Figure 2: Cloaking page<\/figcaption><\/figure>\n

Users that appear to be genuine are presented with a Cloudflare challenge to verify they are human. This is a legitimate instance of Cloudflare, unlike the “ClickFix” type-of-attacks<\/a> that have become very common place and trick people into pasting and executing malicious code.<\/p>\n

\"Figure<\/a>
Figure 3: Cloudflare verification<\/figcaption><\/figure>\n

Rickroll for the cheaters<\/h2>\n

After a successful Cloudflare check, users are redirected to the final phishing page via a special URL, that acts as some sort of entry point for the malicious domain ads[.]mcrosoftt[.]com<\/em>. You can see the network requests related to this redirection chain in Figure 4<\/em> below.<\/p>\n

\"Figure<\/a>
Figure 4: Network traffic for full redirection<\/figcaption><\/figure>\n

If you were to visit that domain directly instead of going through the proper ad click you’d be greeted with a rickroll<\/a>, an internet meme designed to make fun of someone. The sandbox for the web urlscan.io<\/a> has several exa<\/a>mples<\/a> of crawl requests for URLs on that server (37.120.222[.]165<\/em>) that all went to the rickroll.<\/p>\n

\"Figure<\/a>
Figure 5: Rickroll redirect<\/figcaption><\/figure>\n

Phishing page<\/h2>\n

After much subversion, real victims finally see the phishing page for the Microsoft Advertising platform. The full URL in the address bar is meant to imitate the legitimate one (ads.microsoft.com<\/em>).<\/p>\n

\"Figure<\/a>
Figure 6: Microsoft Advertising phishing page<\/figcaption><\/figure>\n

The phishing page gives user a fake error message enticing them to reset their password and seemingly tries to get past 2-Step verification as well. Handling 2FA has become a standard feature in most phishing kits, due to the rise in user adoption of this additional security layer.<\/p>\n

\"Figure<\/a>
Figure 7: Phishing steps<\/figcaption><\/figure>\n

Larger campaign<\/h2>\n

Going back to urlscanio<\/em>, we fed it the special entry URL and it was able to navigate to the phishing page<\/a>. From there, we can look at the various web requests and find something to pivot on in order to identify additional infrastructure.<\/p>\n

The favicon.ico<\/em> file is one starting point and we can query<\/a> for any scans that match its hash, excluding the official Microsoft domain. The results show that in the past week, there were several other domains that appear to be related to the theft of Microsoft Ads accounts.<\/p>\n

But this campaign appears to go back further at least a couple of years and maybe more, although it becomes somewhat tricky to know if the malicious infrastructure is tied to the same threat actors. It’s worth noting that several of the domains are either hosted in Brazil or have the ‘.com.br<\/em>‘ Brazilian top-level domain.<\/p>\n

What we discovered may only be the tip of the iceberg; by starting to investigate compromised advertiser accounts we may very well have opened Pandora’s box. This isn’t only Google or Microsoft ad accounts we are talking about, but potentially for Facebook, and many others. Of course, our scope so far has been Google Search, but we know that other platforms are rife with such phishing attacks.<\/p>\n

These recent malvertising campaigns highlight the ongoing threat of phishing through online advertising. While tech companies like Google work to combat these issues, users must remain vigilant. Here are some key steps you can take to protect yourself:<\/p>\n