In a recent cybercrime scheme, criminals have been targeting individuals and businesses that advertise via Google Ads. By phishing for their credentials, the criminals are impersonating Google Ads and redirecting victims to fake login pages for malvertising.
Once the criminals obtain the login credentials, their goal is to twofold: resell the accounts on blackhat forums, and use some of the accounts themselves to perpetuate these malicious campaigns.
Key Points
- Criminals are targeting Google Ads users by phishing for their credentials.
- They impersonate Google Ads and redirect victims to fake login pages.
- The stolen credentials are then resold on blackhat forums or used to launch further attacks.
According to Malwarebytes,
The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.
The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.
Impact
This cybercrime scheme can have a devastating impact on businesses that rely on Google Ads for their marketing efforts. If a business’s Google Ads account is compromised, the criminals can use it to run fraudulent ads that could damage the business’s reputation and cost them money.
Additionally, if the criminals gain access to the business’s customer data, they could use it for identity theft or other malicious purposes.
How to Protect Yourself?
There are a number of steps that businesses can take to protect themselves from this type of cybercrime:
- Be wary of any unsolicited emails or phone calls from Google Ads. Google will never ask you for your login credentials in an email or phone call.
- If you receive a suspicious email or phone call that appears to be from Google Ads, do not click on any links or attachments. Instead, contact Google Ads directly to verify the legitimacy of the communication.
- Enable two-factor authentication on your Google Ads account. This will add an extra layer of security by requiring a second factor, such as a code from your phone, in addition to your password to log in.
- Regularly review your Google Ads account activity for any suspicious activity. If you see any unauthorized charges or activity, contact Google Ads immediately.
Here are some additional points to consider
- It is important to stay up-to-date on the latest cybercrime threats. New scams are emerging all the time, so it is important to be aware of the latest tactics that criminals are using.
- Businesses should also consider investing in cybersecurity training for their employees. This training can help employees to identify phishing attempts and other cyber threats.
This is not the first time, I had been reported to Google Adwords team in 2015.
