This article discusses a phishing scheme targeting Google Ads advertisers, where criminals impersonate Google Ads through fraudulent ads to steal account credentials. The stolen accounts are likely resold or used for further malicious activities. Affected: Google Ads
Keypoints :
- Online criminals are targeting Google Ads advertisers through phishing.
- Fraudulent Google ads redirect victims to fake login pages.
- Criminals aim to steal advertiser accounts and resell them on blackhat forums.
- The operation is extensive, affecting thousands of customers worldwide.
- Fake ads are hosted on Google Sites, making them appear legitimate.
- Phishing kits collect user credentials and other sensitive information.
- Two main groups of criminals identified: one based in Brazil and another in Asia.
- Stolen accounts are used for further scams and malware distribution.
MITRE Techniques :
- Phishing (T1566) – Criminals impersonate Google Ads and redirect victims to fake login pages hosted on Google Sites to steal credentials.
- Credential Dumping (T1003) – Phishing kits collect usernames, passwords, and other sensitive data from victims.
- Account Manipulation (T1078) – Once credentials are obtained, attackers gain access to the victims’ Google Ads accounts and may add new administrators.
Indicator of Compromise :
- [domain] sites[.]google[.]com/view/ads-goo-vgsgoldx
- [domain] ads-overview[.]com
- [domain] ads-goo[.]click
- [domain] account-costumers[.]site
- [domain] accounts[.]google[.]lt
- Check the article for all found IoCs.