Cybersecurity researchers have uncovered a sophisticated malvertising campaign designed to hijack Microsoft advertising accounts through deceptive Google Ads. These fraudulent ads redirect victims to phishing pages that harvest login credentials and two-factor authentication (2FA) codes.
According to Jérôme Segura, senior director of research at Malwarebytes, "These malicious ads, appearing on Google Search, aim to steal login credentials from users attempting to access Microsoft's advertising platform."
How the Scam Works
This attack follows a pattern similar to previous campaigns that leveraged sponsored Google Ads to target advertisers on the platform.
Targeted Keywords: Threat actors specifically target users searching for terms like Microsoft Ads on Google. These users are tricked into clicking on malicious links disguised as sponsored advertisements.
Evasion Techniques: The scammers employ advanced techniques to evade detection, including:
Redirecting VPN-originating traffic to a fake marketing website.
Using Cloudflare challenges to filter out bots and security crawlers.
Phishing Site: The attackers replicate the legitimate Microsoft Ads website (ads.microsoft[.]com) with a deceptive clone (ads.mcrosoftt[.]com) to steal login credentials and 2FA codes.
Rickrolling Distraction: If users attempt to visit the phishing site directly, they are redirected to a YouTube rickroll video, likely as a diversionary tactic.
Long-Running Phishing Operation
Researchers at Malwarebytes have identified additional phishing infrastructure linked to this campaign dating back several years. The investigation suggests that other advertising platforms, including Meta (Facebook Ads), may have also been targeted.
A key observation is that most phishing domains are hosted in Brazil or use the .com.br top-level domain (TLD). This mirrors a previous malvertising campaign that targeted Google Ads users, which was primarily hosted under the .pt TLD (Portugal).
Google’s Response
Google has been informed about this issue. In past instances, the company has emphasized its proactive stance against malicious ads and has implemented measures to detect and remove fraudulent advertising campaigns. However, the persistence of these scams highlights the ongoing challenges in securing online advertising platforms.
Smishing Attacks Exploit USPS Delivery Scams
In a related cybersecurity development, researchers have uncovered a widespread SMS phishing (smishing) campaign impersonating the United States Postal Service (USPS) to steal users' credentials and financial information.
Deceptive SMS Messages
The attack lures victims with fake delivery failure notifications, urging them to update their shipping address via a malicious PDF attachment.
The PDF contains a “Click Update” button that redirects users to a USPS phishing page.
Victims are asked to enter sensitive details such as mailing address, email, phone number, and payment card information.
Stolen data is encrypted and transmitted to a remote attacker-controlled server.
Advanced Evasion Tactics
Researchers at Zimperium zLabs discovered that this campaign employs sophisticated obfuscation methods:
Bypassing Security Filters: The PDFs embed malicious links without using the standard
/URItag, making detection difficult.Exploiting Mobile Security Gaps: Cybercriminals leverage Apple iMessage vulnerabilities to bypass safety features that prevent users from clicking on phishing links from unknown senders.
Phishing-as-a-Service (PhaaS) Involvement: The campaign appears to be linked to Darcula, a notorious PhaaS toolkit used in over 100 countries to target postal services and major brands.
The Growing Threat of Mobile-Based Social Engineering
The success of these campaigns underscores the evolving tactics of cybercriminals, who are increasingly targeting mobile users with well-crafted phishing schemes.
According to Truman Kain, a security researcher at Huntress, "This attack is well-constructed, which explains why it's being seen so frequently in the wild. The simple truth is—it's working."
Protect Yourself from Malvertising and Smishing Scams
How to Avoid Malvertising Attacks:
Avoid clicking on sponsored ads for critical services like Microsoft Ads; instead, navigate directly to the official site.
Enable multi-factor authentication (MFA) to add an extra layer of security to your accounts.
Use a reputable ad blocker to reduce exposure to potentially harmful advertisements.
Verify URLs carefully before entering login credentials.
How to Stay Safe from Smishing Attacks:
Do not click on links in SMS messages from unknown numbers claiming to be from USPS or other organizations.
Verify the legitimacy of package delivery notices by manually visiting the official USPS website.
Report phishing messages to your mobile carrier or directly to USPS.
Enable security features on your phone, such as SMS filtering and two-factor authentication for financial accounts.
As cybercriminals refine their tactics, staying vigilant and informed is the best defense against these increasingly sophisticated threats.
Stay Updated with the Latest Cybersecurity News
For more cybersecurity alerts, malware analysis, and tech updates, follow our blog and stay ahead of digital threats.