Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Malvertising Scam Uses Fake Google Ads to Hijack Microsoft Advertising Accounts

The Hacker News by The Hacker News
February 1, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Feb 01, 2025Ravie LakshmananMalvertising / Mobile Security

Cybersecurity researchers have discovered a malvertising campaign that’s targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials.

“These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform,” Jérôme Segura, senior director of research at Malwarebytes, said in a Thursday report.

The findings came a few weeks after the cybersecurity company exposed a similar campaign that leveraged sponsored Google Ads to target individuals and businesses advertising via the search giant’s advertising platform.

The latest set of attacks targets users who search for terms like “Microsoft Ads” on Google Search, hoping to trick them into clicking on malicious links served in the form of sponsored ads in the search results pages.

At the same time, the threat actors behind the campaign employ several techniques to evade detection by security tools. This includes redirecting traffic originating from VPNs to a phony marketing website. Site visitors are also served Cloudflare challenges in an attempt to filter out bots.

Cybersecurity

Last but not least, users who attempt to directly visit the final landing page (“ads.mcrosoftt[.]com”) are rickrolled by redirecting them to a YouTube video linked to the famous internet meme.

The phishing page is a lookalike version of its legitimate counterpart (“ads.microsoft[.]com”) that’s designed to capture the victim’s login credentials and two-factor authentication (2FA) codes, granting the attackers the ability to hijack their accounts.

Malwarebytes said it identified additional phishing infrastructure targeting Microsoft accounts going back to a couple of years, suggesting that the campaign has been ongoing for some time and that it may have also targeted other advertising platforms like Meta.

Another notable aspect is that a majority of the phishing domains are either hosted in Brazil or have the “.com.br” Brazilian top-level domain, drawing parallels to the campaign aimed at Google Ads users, which was predominantly hosted on the “.pt” TLD.

The Hacker News has reached out to Google for comment, but the company previously told The Hacker News that it takes steps to prohibit ads that seek to dupe users with the goal of stealing their information, and that it has been actively working to enforce countermeasures against such efforts.

Microsoft Advertising Accounts

Smishing Attacks Impersonate USPS

The disclosure follows the emergence of an SMS phishing campaign that employs failed package delivery lures to exclusively target mobile device users by impersonating the United States Postal Service (USPS).

“This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data,” Zimperium zLabs researcher Fernando Ortega said in a report published this week.

The messages urge recipients to open an accompanying PDF file to update their address to complete the delivery. Present within the PDF document is a “Click Update” button that directs the victim to a USPS phishing web page, where they are asked to enter their mailing address, email address, and phone number.

The phishing page is also equipped to capture their payment card details under the guise of a service charge for redelivery. The entered data is then encrypted and transmitted to a remote server under the attacker’s control. As many as 20 malicious PDFs and 630 phishing pages have been detected as part of the campaign, indicating a large-scale operation.

“The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, making it more challenging to extract URLs during analysis,” Ortega noted. “This method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions.”

The activity is a sign that cybercriminals are exploiting security gaps in mobile devices to pull off social engineering attacks that capitalize on users’ trust in popular brands and official-looking communications.

Similar USPS-themed smishing attacks have also utilized Apple’s iMessage to deliver the phishing pages, a technique known to be adopted by a Chinese-speaking threat actor, Smishing Triad.

Cybersecurity

Such messages also cleverly attempt to bypass a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender or from an account to which a user replies. This is accomplished by including a “Please reply to Y” or “Please reply to 1” message in a bid to turn off iMessage’s built-in phishing protection.

It’s worth noting that this approach has been previously associated with a phishing-as-a-service (PhaaS) toolkit named Darcula, which has been used to extensively target postal services like USPS and other established organizations in more than 100 countries.

“The scammers have constructed this attack relatively well, which is probably why it’s being seen so often in the wild,” Huntress researcher Truman Kain said. “The simple truth is it’s working.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists

Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists

Recommended.

DataOne Cements Speedy Data Center Build With Precast Concrete Forms

DataOne Cements Speedy Data Center Build With Precast Concrete Forms

March 27, 2025
Widex Allure™ App and Compass Cloud™ Named Winners in 2025 Hearing Technology Innovator Awards™

Widex Allure™ App and Compass Cloud™ Named Winners in 2025 Hearing Technology Innovator Awards™

October 8, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio