- Researchers spotted hackers creating phishing pages on Google Sites
- The pages are then advertised on Google Ads
- Victims no longer have access to their accounts, which are either used or sold
Cybercriminals have found a way to abuse and impersonate Google, serving malicious ads on the search engine’s ad network and stealing the login credentials of people looking to promote their business.
The warning comes from cybersecurity researchers Malwarebytes, who have warned users to be careful even when clicking on ads originating from Google itself.
Bad actors start by creating a fake Google Ads homepage on Google Sites, the company’s website builder that also provides users with a Google URL (something like https://sites.google.com/view/sitename) – then, they create a false ad, communicating a promotion or a new offer, and place it on the Google Ads network.
Three threatening actors
“This is because you cannot display a URL in an ad unless your landing page (final URL) matches the same domain name. Although this is a rule intended to protect abuse and identity theft, it’s very easy to circumvent,” explained Jerome Segura, senior director of research at Malwarebytes.
“Looking at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since sites.google.com uses the same root domains as the ads.google.com ads. In other words, It is permitted to display this URL in the ad, making it indistinguishable from the same ad served by Google LLC.”
Victims who fall for the trick and click on the ad are redirected to a web page asking them to log in. Once they do, the phishing page collects their login credentials, unique IDs, and cookies, and relays the data to the attackers, who then log in from a separate Google account.
The final step is to block the victim’s access to their account and use it to fund additional campaigns, purchase other services, etc.
Malwarebytes estimates that at least three malicious actors are currently deploying this tactic: a Brazilian group, an attacker based in Asia, and a group from Eastern Europe.
Via BeepComputer
