*Scroll to the bottom for a recent update - March 1, 2023
Countless enterprises utilize Google Ads to promote their products and services - allowing them to reach billions of potential customers daily. With the power of Google Ads, businesses can easily connect with a wide variety of audiences all over the world.
Statista's most recent report paints a vivid picture of the Search Advertising market, which is expected to leap from US$ 296.70 billion in 2023 to an estimated US$ 435.20 billion by the year 2027 - making it one of the fastest growing segments within our digital economy. This immense potential has recently been attracting cybercriminals who have discovered a way to leverage Google ads as an effective platform to perform malicious activities.
Attacks on Google Ads
Researchers tracked a threat actor, DEV-0569, who used Google Ads to inject and distribute malware on ongoing advertising campaigns. Through malware in these ads, the threat actor tries to steal victims' credentials like passwords and breaches the account or network to deploy ransomware attacks. Cybersecurity researchers Germán Fernández, MalwareHunterTeam, and Will Dormann demonstrated how cybercriminals had turned Google search results into a hotbed of mal-advertisements using malware. As per the report, these ads pretend to be legitimate websites for downloading and sharing software programs like AnyDesk, Rufus, TradingView, LightShot, FileZilla, VLC, 7-Zip, WinRAR, LibreOffice, and Awesome Miner.
Once the victim clicks these ads, the link will take them to a download portal or the software's website (which is not legitimate or authentic). As the victim clicks those malicious website links containing the download option, the link will download an MSI file that downloads and installs various malware depending on the attackers' plan. RedLine Stealer, Vidar, Gozi/Ursnif, and Cobalt Strike are some prevalent malware attackers install while carrying out malicious Google advertisement campaigns.
According to security researchers, DEV-0569 is an initial access broker responsible for malware distribution systems that breach corporate systems through Google ads. They either use Google Ads-based downloads to succeed in their attacks or sell the credentials to other malicious actors and the Royal ransomware gang.
Attackers using Google Ads for phishing attacks
Cybercriminals have recently found that Google Ads are being used for phishing campaigns.
On February 7, Bitwarden users saw a Google Ad titled 'Bitward - Password Manager' in the Google search results for "bitwarden password manager." When clicked, the user was redirected to a page at 'bitwardenlogin.com.' This was a complete replica of the legitimate Bitwarden Web Vault login page. Once the users credentials were entered and submitted, it redirected the user back to the legitimate Bitwarden login page. A Reddit thread regarding this phishing page was published, showing how similar the fake and legitimate login pages looked.
Cybersecurity researcher MalwareHunterTeam have also discovered that some of these ads targeted the credentials for the 1Password password manager. Threat actors are using Advanced adversary-in-the-middle (AiTM) phishing attacks to increase their success rate. Modlishka, Evilginx2, and Muraena are a few of the specialized toolkits that these criminals use for constructing fake login forms, which proxy legit ones when victims attempt to access the targeted service.
Google Ads are being increasingly used as a platform for malicious activities. It is of utmost importance that Google take strict steps to eradicate these malicious campaigns, including making their review process more stringent and penalizing malicious actors for using the platform for such nefarious purposes. Users should also be cautious when clicking on Ads and only access official websites or applications to download.
Preventive measures against Google Ads based attacks
Here are a few precautionary measures you can take to protect yourself from malicious Google Ads attacks:
Check whether the website from where you are downloading your app is legitimate and official. Also check if the SSL certificate is valid or expired.
It is a good practice to leverage multi-factor authentication (MFA) for all of your accounts. These can be hardware security keys (best and most robust), an authentication app (easy to use and suitable), magic links (good and secure), or SMS verification (sometimes prone to SIM swapping attacks).
Keep in mind that MFA can be vulnerable to advanced adversary-in-the-middle (AiTM) attacks, so implementing risk-based authentication for enterprise-grade apps to prevent phishing can be beneficial.
Use Safe Browsing and Enhanced protection so that the browser can warn the user about any malicious download or suspicious file.
Patch your browsers regularly.
It is the best practice to provide as little credential details/information as possible.
Google Ads have become a popular platform for malicious actors to conduct their attacks. Various malware and phishing campaigns have been discovered in the past that leverage Google Ads to achieve their malicious goals. This makes it important for users to be aware of these attacks and take preventive measures against them. It is also necessary for Google to strengthen its review process and take stern actions against these malicious actors.
Update from March 1, 2023, from Google
On March 1st, Google sent out an email to advertisers with the following update:
In May 2023, the Google Ads Malicious or unwanted software policy will be split into three separate policies: Malicious software, Compromised sites, and Unwanted software. We will begin enforcing these policies on May 9 2023, with full enforcement ramping up over approximately 4 weeks. Until these policy changes are brought into effect, Google will continue to enforce its current malware policy.
What is changing
Malicious software: The scope of the Malicious software policy is narrowed to prohibit the intentional distribution of malicious software or “malware” that may harm or gain unauthorized access to a computer, device, or network. This prohibition applies to your ads and any software that your site or app either hosts or links to, regardless of whether the software is promoted through the Google advertising network. A violation of the Malicious software policy will now be considered an egregious violation.
Compromised sites: A compromised site refers to a site or destination whose code has been manipulated to act in ways that benefit a third party without the knowledge of the site or destination’s owner or operator, and often in a way that harms the site’s users. Your ads are not allowed to use destinations which are compromised or hacked. Violations of this policy will not lead to immediate account suspension without prior warning. A warning will be issued, at least 7 days, prior to any suspension of your account.
Unwanted software: Ads and destinations that violate Google’s Unwanted software policy are not allowed. Violations of this policy will not lead to immediate account suspension without prior warning. A warning will be issued, at least 7 days, prior to any suspension of your account.
Sign up for our newsletter
Get the lastest blog posts in your inbox biweekly!