Google Ads hijacked to push spam, adult websites

Phishing
(Image credit: Vektor Illustration/Shutterstock)
Audio player loading…

Hackers have been detected abusing a Google Ads feature to deliver adult websites and infostealing (opens in new tab) websites to unsuspecting victims.

Google Ads, the search engine giant’s advertising platform, has a feature allowing users to invite other people to the account administration interface. 

The invitations get sent via email, from Google’s official email address - ads-account-noreply@google.com. As these emails are technically sent by Google, email security services see them as legitimate and let them pass, so most of them end up in the victims’ inboxes, rather than the spam folder, or similar. 

TechRadar Pro needs you! (opens in new tab) We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey (opens in new tab) and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Collecting personal data

The URLs being shared with these emails redirect the recipients to “dodgy websites” that host adult content. Some websites “appear to be designed to collect personal information from visitors”. More details were not shared.

In any case, people have taken to Reddit and other forums to share their stories and their frustration with Google, the publication further states. “It would be nice if Google would get a handle on their products so their users aren't having to constantly guard against phishing scams,” one user was cited saying.

Google, on the other hand, seems to be aware of the creative way its tools are being abused and is doing something about it. How long before we see the results of that work, remains to be seen:

"Our security teams are aware of this spam content and are working hard, as always, to stay ahead and keep our users safe," a Google spokesperson said in a statement to BleepingComputer

"We have strict Google Ads policies against misrepresentation and have taken appropriate action. We encourage users to report messages when they receive emails containing spam links to help us take appropriate action on accounts involved in the spam."

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.