Recent research by Malwarebytes Labs uncovered a sophisticated cybercriminal campaign in which attackers pay for sponsored Google ads, impersonate major brands, and direct users to fake websites designed to steal credentials and distribute malware.
How the Scam Works
Cybercriminals purchase Google ads using brand names as keywords, ensuring their fraudulent ads appear at the top of search results when users look for those brands. The ads closely mimic legitimate brand advertisements. When users click these ads, they are redirected to fake websites that are crafted to look identical to official brand pages, such as Google Ads or DeepSeek.
On these fraudulent sites, users are prompted to enter sensitive information, including usernames, passwords, and sometimes even two-factor authentication codes. The attackers collect this data and may use it to hijack accounts or sell the credentials on underground forums. Many phishing pages are hosted on Google Sites, allowing attackers to create URLs that closely resemble legitimate Google domains, making the scams harder for users and automated defenses to detect. To further evade detection, attackers may display harmless content to users who visit the phishing site directly, while showing the malicious content only when the visit originates from a Google ad click. This tactic helps them bypass Google’s ad review systems.
Scope and Impact
Malwarebytes described this as one of the most egregious malvertising campaigns they have tracked, with the potential to impact thousands of users globally. The campaigns have targeted users searching for a range of brands, including Google Ads, Microsoft Ads, DeepSeek, and Semrush, among others. The stolen accounts are valuable commodities on underground markets, and the attackers have been traced primarily to groups operating out of Brazil, Asia, and Eastern Europe.
Industry Response
Google has acknowledged the issue and claims to be actively working to enforce stricter ad policies and remove malicious ads, but researchers note that the scale and sophistication of these attacks are challenging Google’s defenses
