New Phishing Campaign Targeting Google Ads Users: Brazilian-Linked Malvertising Uncovered

New Phishing Campaign Targeting Google Ads Users: Brazilian-Linked Malvertising Uncovered

A newly discovered malvertising campaign targeting users of Google Ads has been uncovered by the Cyber Defense Insight team, highlighting a sophisticated attempt to harvest user credentials through a fake Google login page. This campaign, which leverages malicious ads on Google Search, represents a continuation of tactics previously seen in attacks targeting Microsoft and Google platforms.

The Discovery: How the Campaign Operates

The campaign starts by placing fake ads in Google Search results, masquerading as official Google Ads links. The fraudulent ads use the domain "a[.]accounts[.]online", which is registered under Google Ads campaigns. Once clicked, the ad redirects users to a page hosted on "sites[.]google[.]com", which mimics the Google Ads login interface to deceive unsuspecting users.

Image 1.0 Fake Google ads page
Image 1.1 Fake Google ads page

The phishing page includes a Sign In button that directs victims to the domain "accounts[.]parasgold[.]in", a fake Google login page designed to steal user credentials. If users enter their credentials, they are redirected to the legitimate Google Ads website, creating the illusion of a successful login and further masking the attack.

Image 1.1 Fake Google login page
Image 1.2 Fake Google login page

However, Cyber Defense Insight discovered that directly accessing accounts[.]parasgold[.]in without going through the initial campaign flow results in a static Google Ads page image, preventing login attempts. This mechanism is likely designed to evade detection by researchers and security tools.

Additionally, the phishing site employs anti-right-click scripts, making it difficult for analysts to inspect the page elements or analyze network requests, further complicating investigative efforts.

Brazilian Connections: A Link to Previous Campaigns

During the investigation, the Cyber Defense Insight team found that several backend commands in the phishing infrastructure were written in Brazilian Portuguese, pointing to potential links with a previously identified campaign targeting Microsoft users. The earlier campaign, also hosted on domains with Brazilian connections, leveraged similar tactics using phishing domains to collect credentials.

Image 1.3 Brazilian languages ​​used by domain
Image 1.3 Brazilian languages ​​used by domain

On February 5, 2025, this new campaign was observed to be using Cloudflare services to mask its original IP address, making it challenging to trace the hosting provider. However, by analyzing the backend server responses, researchers found clues suggesting the continuation of tactics originating from threat actors based in Brazil.

Technical Analysis: Tactics to Avoid Detection

  1. Dynamic Content Delivery: The phishing campaign dynamically alters the page content based on how users access it. If the user follows the legitimate flow through Google Ads links, they are presented with the fully functional phishing page.
  2. Anti-Investigator Measures: To thwart researchers, the phishing pages block right-click functions and other common inspection tools.
  3. Cloudflare Protection: The campaign employs Cloudflare to conceal the origin server’s IP address, making it more difficult for defenders to locate and take down the hosting infrastructure.
  4. Brazilian Language Hints: Commands in the backend use Brazilian Portuguese, consistent with prior malvertising campaigns.

How the Phishing Flow Works

Image 1.4 Flow phishing attack google ads
Image 1.4 Flow phishing attack google ads

  1. Step 1: User searches for terms like "Google Ads" on Google.
  2. Step 2: Fake Google Ads appear at the top of search results, directing users to a[.]accountsg[.]online.
  3. Step 3: Users are redirected to sites[.]google[.]com, where a Google Ads-themed page asks them to sign in.
  4. Step 4: The Sign In button leads to accounts[.]parasgold[.]in, a fake login page impersonating Google.
  5. Step 5: Upon entering credentials, users are redirected to the real Google Ads website to maintain the illusion of legitimacy.

Potential Long-Term Implications

The continuous evolution of these phishing tactics indicates a well-organized operation that adapts to avoid detection. With previous campaigns targeting Microsoft and now Google Ads, it is evident that threat actors are focusing on high-value platforms. Historically, similar campaigns have been traced back to Brazilian cybercriminal groups known for using malvertising and phishing-as-a-service (PhaaS) models.

Recommendations for Protection

Organizations and users should adopt the following security measures to defend against this ongoing threat:

  • Enhanced Ad Monitoring: Google and other advertising platforms should enhance monitoring for suspicious ad campaigns.
  • User Awareness: Educating users about how to identify phishing sites and verifying URLs before entering credentials can help mitigate risks.
  • Multi-Factor Authentication: Enforcing MFA can prevent account takeover even if credentials are compromised.
  • Domain Blocking: Organizations can block known malicious domains such as a.accountsg[.]online and accounts[.]parasgold[.]in through their security solutions.

As phishing tactics continue to evolve, proactive defense mechanisms and collaboration between security teams and platform providers are essential to stay ahead of threat actors. The discovery by the Cyber Defense Insight team underscores the need for continuous vigilance in identifying and taking down malicious campaigns.

Indicators of Compromise (IOCs)

Domains Involved:

  • a[.]accountsg[.]online
  • accounts[.]parasgold[.]in
  • sites[.]google[.]com (specific path hosting fake Google Ads login page may need further verification)

0 Comments