Cybercriminals keep innovating and devising new tactics to launch malicious phishing campaigns and target unsuspecting users. They are now abusing Google Ads to send phishing emails to users. Read on to learn more regarding the campaign and tips to protect yourself.
Threat actors are abusing the Google Ads platform to deliver emails promoting unsolicited and spam websites to users who are not necessarily using the Google advertising platforms.
The Google Ads platform enables advertisers to design advertising campaigns in Google search results and on publisher partners’ websites.
The platform, which publishes ads on websites across the Web, allows admins to invite other Google users to manage their Google Ads accounts. Google sends these invitations over email through an official Google email address: email@example.com. Recently, some malicious actors figured that these emails pass through Gmail’s spam filters conveniently since Google does not filter emails originating from its own domain.
The recent phishing campaign involves cybercriminals using the Google Ads admin interface to send bulk email invitations, easily bypassing recipient spam filters.
Think Twice Before Clicking on That Google Ads Invite!
Users around the globe recently reported receiving emails from original Google Ads accounts that caught their attention. The bogus invite emails sent from Google’s servers request users to visit spam links attached to the email.
According to Reddit user erohtar, “The email originates from the official Google address firstname.lastname@example.org”
“A few weeks ago, my boss provided me access to our organization’s Google Ads account, so I’m familiar with the email. It’s legitimate, sent by Google, and will provide me access to the threat actor’s Google Ads account.”
Many other users also reported receiving identical messages, leaving them frustrated:
“I’ve been trashing the bogus invite emails, but it will be nice if Google got a handle on their products so that the users do not have to guard against such phishing scams constantly,” Brandon commented on a Google community forum thread.
Luring Users Through Websites Promoting Adult Content
Google Ads account administrators can utilize the “invitations” feature for adding new users to the account admin interface through email invites. These Google Ads account invitations include links to the website connected to each account, prompting recipients to click on the said website.
The website links in these spam invitations display obscene images and ask visitors to key in their information to see more. If a user enters their information on these pages, hackers will most likely exploit it for nefarious purposes.
It might seem tempting to report such emails as spam, but that isn’t the solution. Doing so will also block legitimate emails from Google. To better understand the incident and the steps Google is implementing, Bleeping Computer emailed Google.
A Google spokesperson replied, “Our security teams are aware of the issue and, as always, working hard to keep our users safe.”
“We have stringent Google Ads policies against misrepresentation and are taking appropriate action. We encourage our users to report emails containing spam links to help us take necessary action on accounts linked to spam.”
Users should remain vigilant and refrain from opening attachments or clicking links within emails, even if they appear to originate from authentic Google servers.
Another “Google Ads – Your account is suspended” Phishing Campaign
Another scam in the news recently is the “Google Ads – Your account is suspended” phishing campaign. Scammers are sending this email to many users hoping that some will take it seriously.
The primary purpose here is to trick people into entering their Google Ads account details (usernames and passwords). If you receive such an email, ignore it and other similar emails—the Cybercriminals behind this scam design such emails as a communication from the Google Ads team. The “Google Ads – Your account is suspended” communication mentions that the user’s Google Ads account got suspended for circumventing systems.
To restore their accounts, recipients must log in by clicking on the embedded link. When they click on it, they get redirected to a fake login page: identifiable by inspecting the website link, misspelled as (accounts.vgeoogle.com). The website asks victims to log into their Google Ads accounts by entering their telephone numbers (or email addresses) and passwords.
As mentioned, cybercriminals are using this method to steal account details, which can cause a data leak, financial loss, and other problems.
Best Practices to Secure Your Google Ads Account Against Suspicious Emails Claiming to be from Google Ads
Google never sends unsolicited messages asking users to provide their passwords or other sensitive information through emails or links. If you receive an email requesting you to share sensitive information, it’s an attempt to steal your data, also called “phishing.” Sometimes businesses and threat actors pretend to be associated with Google to trick people into providing their sensitive information. Here are the best practices to follow to safeguard against the Google Ads phishing campaign:
- Check if it’s Google trying to reach you. Until you are sure, do not click on any email links or enter personal information.
- Check that the email’s message headers “from” and “return-paths” contain “@google.com.” If contacted by a third party, ensure they are a Google Partner.
- Check where the email’s links are pointing; the link address URLs must contain “google.com.” Before opening any links in the email, right-click on the link and click on “Copy Link Location” or “Copy Link Address.” Then paste the copied text into a text field or document to check what that URL says. If the URL points you somewhere other than “google.com,” the URL might take you to a non-Google webpage.
- Protect your account if you believe you shared your personal details with an untrustworthy source. Do not divulge your details if you think you were contacted by a threat actor asking for your credit card numbers, password, or other sensitive information. If you believe your account is compromised, use the steps below to protect it.
3. Use Google’s account security form to alert them as soon as possible.
Furthermore, follow Google’s security tips to secure your account. Report the suspicious call, email, or webpage so Google can investigate it. You can choose any of the following forms offered by Google:
- Report an email or call: You can use this form to connect to an Online Specialist.
- Report a webpage: You can use this form to report the URL of a suspicious website to Google. If you received the link through an email, do not click the link to visit the webpage. Instead, right-click on the link and select “Copy Link Location” or “Copy Link Address.” Then, paste the copied link into the form.
- Report a third party: You can use this form to inform Google about an issue with a partner selling Google Ads services.
Traditionally, threat actors used to send spam and phishing emails using email addresses intended to appear at least somewhat legitimate to trick users into opening them and clicking on the linked websites.
However, they are no longer creating email addresses at newly registered domain names. Malicious actors are instead creating Google Ads accounts and linking them to their spam/phishing websites. Thus, as we saw above, they are now sending invitation emails from their official Google Ads email address. Hence, users must remain vigilant and follow cybersecurity best practices in today’s evolving threat landscape.