Threat Actors Are Using Google Ads to Launch Phishing Attacks

Year after year, phishing tops the list of the leading causes of data breaches. Afterall, a threat actor’s job is made much easier if they can get an authorized user to visit a malicious website on their own accord. Once a user has accessed a malicious site, they could potentially be exposed to a zero-day exploit that targets the browser, or perhaps a malicious site looks exactly like a legit website and harvests credentials. Or maybe the malicious site pretends to be the home of some well-known software and lets the user download an “update” all on their own (with a little malware added…).

Security professionals have been sounding the alarm about phishing for many, many years — and companies are starting to take notice. It is now commonplace for companies to provide cybersecurity training for their employees, and recognizing and avoiding phishing schemes is usually a primary topic. Many organizations even test their workers by sending them dummy phishing emails to see who falls for them. Once identified, these employees can then be given a refresher course or more training. However, even with rigorous training and the plethora of solutions that try to prevent phishing emails from even reaching a user’s inbox in the first place, attackers can still find success.

While software gets better at keeping phishing emails from reaching users’ inboxes, and employees get better educated to recognizing phishing, threat actors get better at making phishing emails look legitimate enough to fool both software and humans alike — perpetuating the cybersecurity cat-and-mouse game.

Recently, threat actors have stepped up their game by using Google Ads to trick users into visiting their malicious websites. Security professionals reiterate to users that they should not click links in emails or text messages, and instead advise them to type the full URL of the site referenced directly into their browser. However, that assumes users know what a full URL actually is. For many users, navigating the internet is strictly a matter of using Google and keywords to get where they are going. So instead of typing in “https://apple.com” or even just “apple.com” into their nav bar, they simply type “apple” and click on the first link provided by their preferred search engine (almost always Google).

Unfortunately, that first link (or the first few links) can be purchased using Google Ads and served up based on keywords users are searching. Though these were generally reliable in the past, more and more, these results are being hijacked by threat actors. Now, the first link you get when searching for “zoom” or “download zoom” may not be for a legitimate website, but rather a threat actor controlled website. They’re even able to enhance their techniques by detecting if the user reached their website through Google Ads or by another means, using this intelligence to determine whether a user should be redirected to a benign site or be allowed to continue to the real phishing site. This allows the threat actors to stay ahead of security researchers by serving up a benign site if someone browses directly to the ad’s URL, this included anyone from Google as well as their bots and crawlers.

Malvert diagram orig

A recently uncovered campaign shows that at least one threat actor has been using this technique heavily, currently targeting mostly end-users and their crypto wallets by buying ads for well-known software brands like Grammarly, Malwarebytes, Afterburner, Visual Studio, Zoom, Slack, and more.

Users looking to download or update their software and type its name directly into Google were served links to malicious sites that look just like the real ones. However, the versions of the software provided on these websites was infested with malware (and often hosted on legit websites like Google Drive, Dropbox, etc).

While this campaign is mostly focused on end users, it’s highly likely that business-focused campaigns are already active or will be active in the near future. In fact, We are already aware of this technique having been used before to target customers of a well-known credit union. Aside from updating employee and customer training (never click on a “sponsored” link in Google), what else can be done to thwart this attack vector?

The use of Protective DNS solutions, as recommended by CISA and the NSA, can thwart these phishing attacks. At HYAS, we are experts in understanding adversary infrastructure, and HYAS Protect utilizes that extensive knowledge to proactively block access to these malicious sites. From HYAS Protect’s point of view, it doesn’t matter whether a user gets to a malicious site by clicking a link in a phishing email, clicking a Google “Sponsored” link, or even directly typing the malicious URL itself. HYAS Protect will detect that the site is part of a threat actor infrastructure and will block access to it, keeping the user safe.

Back to Blog