Fake Google Ads Are Used to Hijack Microsoft Advertising Accounts In Malvertising Scam

Feb 01, 2025Ravie LakshmananMalvertising / Mobile Security

Researchers studying security have discovered a malicious plan that targets Microsoft advertisers with fictitious Google ads that point them to phishing websites that can spook their credentials.

” These malicious advertising, appearing on Google Search, are designed to take the registration details of people trying to access Microsoft’s advertising platform”, Jérôme Segura, senior director of research at Malwarebytes, in a Thursday statement.

The findings were made a few weeks after the security firm revealed a similar campaign that used sponsored Google Ads to targeted individuals and businesses through the research giant’s advertising platform.

The most recent set of problems are targeted at consumers who search on Google for phrases like” Microsoft Ads,” attempting to deceive them into clicking on malicious links that appear in sponsored advertisements in search results pages.

The threat actors behind the battle also use a number of methods to obstruct monitoring by security tools. This includes moving traffic from VPNs to a fake selling site. Additionally, blog visitors are given Cloudflare challenges in an effort to screen out bots.

People who attempt to directly visit the final landing page ( “ads. mcrosoftt [. ] They are ricked by a redirect to a YouTube video that contains a prominent internet image.

The phishing site has a facsimile design called “ads” on it. microsoft [. ] com” ) that’s designed to capture the victim’s login credentials and two-factor authentication ( 2FA ) codes, granting the attackers the ability to hijack their accounts.

Malwarebytes claimed to have found more phishing infrastructure that targets Microsoft accounts dating back a few years, which suggests the campaign has been going on for some time and that it may have even targeted other advertising platforms like Meta.

Another important feature is that the majority of phishing domains are either hosted in Brazil or have the” .com” extension. lms” Brazilian top-level website, drawing parallels to the campaign aimed at Google Ads users, which was mostly hosted on the” .pt” TLD.

Although The Hacker News reached out to Google for comment, the company recently disclosed to The Hacker News that it is constantly working to impose countermeasures against such efforts and that it takes steps to stop ads that aim to trick users into stealing their information.

Smishing Problems resemble USPS

The disclosure comes in response to a new SMS phishing scheme that purports to impersonate USPS ( USPS) recipients only in order to target mobile device users.

In a statement released this week, Zimperium zLabs scientist Fernando Ortega claimed that” this campaign uses complex social engineering tactics and a never-before-seen means of obfuscation to deliver harmful PDF files intended to steal credentials and bargain sensitive data.

The consumers are urged to open a PDF file that includes an updated address to finish the delivery. Provide within the PDF file is a” Press Update” box that directs the victim to a USPS phishing web page, where they are asked to enter their email address, email address, and phone number.

The phishing page is also equipped to obtain their credit card information under the guise of a service fee for redelivery. The attacker’s control over the attacker’s hands the data to a remote server where it is encrypted and then transmitted. As many as have been detected as part of the campaign, indicating a large-scale operation.

Ortega noted that the PDFs used in this campaign embed clickable links without using the standard /URI tag, making it more challenging to extract URLs during analysis. This technique made it possible for several endpoint security solutions to find malicious URLs in PDF files without being detected.

The behavior demonstrates that cybercriminals are launching social engineering attacks that make money off of users ‘ trust in well-known brands and official-looking communications by exploiting security gaps in mobile devices.

Similar USPS-themed smishing attacks have also utilized Apple’s iMessage to deliver the phishing pages, a technique known to be adopted by a Chinese-speaking threat actor, .

Such messages also deftly attempt to omit a safety feature in iMessage that prevents links from being clicked unless they are from a known sender or a user replies to an account. This is accomplished by including a” Please reply to Y” or” Please reply to 1″ message in a bid to turn off iMessage’s built-in phishing protection.

It’s worth noting that this tactic has previously been linked to a phishing-as-a-service ( PhaaS ) toolkit, which has been extensively used to target postal services like USPS and other well-established organizations in more than 100 nations.

Huntress researcher Truman Kain ,” The scammers have constructed this attack relatively well, which is probably why it’s being seen so frequently in the wild.” ” The simple truth is it’s working”.

Found this article interesting? To read more exclusive content we post, follow us on and Twitter.

Leave a Comment