- Researchers detected hackers creating phishing pages on Google Sites
- The pages are then advertised in Google Ads.
- Victims cannot access their accounts, which are used or sold.
Cybercriminals have found a way to abuse and impersonate Google, serve malicious ads on the search engine’s ad network, and steal login credentials from people looking to promote their businesses.
The warning comes from cybersecurity researchers at Malwarebytes, who warned users to be careful even when clicking on ads coming from Google itself.
Threat actors start by creating a fake Google Ads landing page on Google Sites, the company’s website builder that also provides users with a Google URL (something like https://sites.google.com/view/sitename) – then they create a fake ad, communicate a promotion or a new offer, and place it on the Google Ads network.
Three threat actors
“In fact, a URL cannot be displayed in an ad unless its landing page (final URL) matches the same domain name. While that is a rule intended to protect against abuse and phishing, it is very easy to circumvent,” explained Jérôme Segura, senior director of research at Malwarebytes.
“Looking at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since sites.google.com uses the same root domains ads.google.com. In other words, it is allowed to display this URL in the ad, so it cannot be distinguished from the same ad published by Google LLC.
Victims who fall into the trap and click on the ad are redirected to a web page that asks them to log in. Once they do so, the phishing page collects your login credentials, unique identifiers, and cookies, and transmits the data to the attackers, who then log in from a separate Google account.
The last step is to block the victim’s account and use it to fund additional campaigns, purchase other services, and more.
Malwarebytes believes that at least three threat actors are currently deploying this tactic: a Brazilian group, an attacker based in Asia, and a group from somewhere in Eastern Europe.
Through beepcomputer
