Your marketing stack is an attack surface – is security watching?

Picture this: an enterprise employee clicks on what appears to be a verified ad from a trusted brand on Google. But the ad is anything but verified – it’s convincingly spoofed and redirects to a scammer-controlled domain.

The real brand has no idea it’s being imitated, security has no record of the breach, and Google’s own reviewers never saw the malicious content. Still, the unaware employee enters the “trusted” environment and hands over their login or downloads compromised software, creating an exploitable leak of unknown origin.

A recently unearthed scam did just this for years by cloaking fake ads and tricking the internet’s biggest ad platform into serving them. It’s the latest in a growing trend of weaponized ad fraud at scale, a scam that not only drains marketing budgets but also threatens cybersecurity.

Increasingly, the enterprise ad stack is the attack surface and fighting back requires security and marketing teams to address it as one.

Ad fraud at scale is now a security problem

In February, researchers announced the discovery of 1Campaign, a fully managed criminal toolkit for malvertizing, phishing, and credential theft. The cloaking tool tricked Google into approving malicious ads by showing different content to different visitors.

The fraud-as-a-service platform profiled every visitor – based on factors like IP ranges, geographic locations, and behavioral patterns – to determine what they would see next.

Security researchers, ad platform reviewers, and automated scanners were instantly flagged and directed to a harmless white page.

General users, on the other hand, were funneled wherever the bad actor wanted, using ads convincingly dressed as trusted brands to earn clicks that lead to phishing pages, crypto drainers, and fake software downloads that deliver malware.

This scheme is part of a disturbing pattern. Buoyed by AI, ad fraudsters are technologically equipped to do more with less and attack at scale. This is something we saw last September with malware hiding behind legitimate apps on the Google Play Store and turning user devices into ghost click farms.

Bots are now engaging with ads like humans – pausing on content, simulating scrolling, mimicking viewing behavior – and making detection far more difficult. In turn, marketing is battling corrupted campaign data, inflated click metrics, and the loss of about one in five dollars to ad fraud.

Ad networks are fighting a losing battle

1Campaign is the latest in a line of attacks that sees fraudsters weaponizing ads, outpacing detection, and ultimately threatening security. This is a triple threat with serious consequences across the enterprise. A big reason the scam succeeds is that marketing and security don’t talk to each other.

Security isn’t watching the ad stack and marketing isn’t flagging unusual traffic as a security concern. Bad actors know the two are siloed and exploit the gap in between, silently co-opting trusted brands and opening backdoors that neither team is monitoring.

Worse still, even ad platforms are struggling to keep up. 1Campaign operated undetected for several years by successfully evading traditional detection methods and circumventing the ad review process. In some documented campaigns, the scheme’s success rate at blocking security scanners reached 99%.

Our research reinforces that ad platforms are fighting a losing battle: invalid click rates from independent sources are nearly 50% higher than Google’s reported figures, suggesting plenty of fake clicks still slip through the cracks.

This is the new normal in ad fraud and enterprises that rely solely on platform defenses and disparate departments are leaving both their ad spend and security posture exposed.

Marketing and security must come together

Both sides need to step up and stamp out this threat. For security, this can be achieved by treating unusual ad traffic as a potential threat indicator rather than just a marketing problem. Specifically, watch for signs of credential harvesting.

If employees click through to unexpected domains via ad platforms, this should trigger the same level of scrutiny as phishing emails. Likewise, start including ad infrastructure in endpoint monitoring and incident response protocols, and training employees on the dangers of malvertizing (even if an ad comes from Google).

For marketing, remember that there’s no single source of truth. Platform performance reports are a starting point that can and should be strengthened by behavioral analytics and fraud-scoring systems. Think more holistically and flag unusual traffic spikes, click patterns, and conversion anomalies as potential security events.

Layered, independent verification is the only reliable defense in this threat landscape and it pays dividends. For example, armed with better visibility into real versus fake engagement, marketing teams can more quickly identify invalid clicks and pursue platform refunds with confidence.

For both teams, you’re stronger when you tackle this together.

This kind of collaboration is easier than many realize – establish joint dashboards that correlate ad traffic with security threat indicators, build incident response protocols that include ad stack breaches, and train across departments so each team understands the other’s blind spots.

This is a threat that both teams and wider enterprises need to address. Agentic browsers and prompt injection are on the way, threatening to introduce even more autonomous and legitimate-looking clicks. The time for cross-functional marketing and security defenses is now.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro