Cybersecurity researchers have discovered a malvertising campaign that’s targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials.
“These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform,” Jérôme Segura, senior director of research at Malwarebytes, said in a Thursday report.
The findings came a few weeks after the cybersecurity company exposed a similar campaign that leveraged sponsored Google Ads to target individuals and businesses advertising via the search giant’s advertising platform.
The latest set of attacks targets users who search for terms like “Microsoft Ads” on Google Search, hoping to trick them into clicking on malicious links served in the form of sponsored ads in the search results pages.
At the same time, the threat actors behind the campaign employ several techniques to evade detection by security tools. This includes redirecting traffic originating from VPNs to a phony marketing website. Site visitors are also served Cloudflare challenges in an attempt to filter out bots.
Last but not least, users who attempt to directly visit the final landing page (“ads.mcrosoftt[.]com”) are rickrolled by redirecting them to a YouTube video linked to the famous internet meme.
The phishing page is a lookalike version of its legitimate counterpart (“ads.microsoft[.]com”) that’s designed to capture the victim’s login credentials and two-factor authentication (2FA) codes, granting the attackers the ability to hijack their accounts.
Malwarebytes said it identified additional phishing infrastructure targeting Microsoft accounts going back to a couple of years, suggesting that the campaign has been ongoing for some time and that it may have also targeted other advertising platforms like Meta.
Another notable aspect is that a majority of the phishing domains are either hosted in Brazil or have the “.com.br” Brazilian top-level domain, drawing parallels to the campaign aimed at Google Ads users, which was predominantly hosted on the “.pt” TLD.
The Hacker News has reached out to Google for comment, but the company previously told The Hacker News that it takes steps to prohibit ads that seek to dupe users with the goal of stealing their information, and that it has been actively working to enforce countermeasures against such efforts.
Smishing Attacks Impersonate USPS
The disclosure follows the emergence of an SMS phishing campaign that employs failed package delivery lures to exclusively target mobile device users by impersonating the United States Postal Service (USPS).
“This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data,” Zimperium zLabs researcher Fernando Ortega said in a report published this week.
The messages urge recipients to open an accompanying PDF file to update their address to complete the delivery. Present within the PDF document is a “Click Update” button that directs the victim to a USPS phishing web page, where they are asked to enter their mailing address, email address, and phone number.
The phishing page is also equipped to capture their payment card details under the guise of a service charge for redelivery. The entered data is then encrypted and transmitted to a remote server under the attacker’s control. As many as 20 malicious PDFs and 630 phishing pages have been detected as part of the campaign, indicating a large-scale operation.
“The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, making it more challenging to extract URLs during analysis,” Ortega noted. “This method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions.”
The activity is a sign that cybercriminals are exploiting security gaps in mobile devices to pull off social engineering attacks that capitalize on users’ trust in popular brands and official-looking communications.
Similar USPS-themed smishing attacks have also utilized Apple’s iMessage to deliver the phishing pages, a technique known to be adopted by a Chinese-speaking threat actor, Smishing Triad.
Such messages also cleverly attempt to bypass a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender or from an account to which a user replies. This is accomplished by including a “Please reply to Y” or “Please reply to 1” message in a bid to turn off iMessage’s built-in phishing protection.
It’s worth noting that this approach has been previously associated with a phishing-as-a-service (PhaaS) toolkit named Darcula, which has been used to extensively target postal services like USPS and other established organizations in more than 100 countries.
“The scammers have constructed this attack relatively well, which is probably why it’s being seen so often in the wild,” Huntress researcher Truman Kain said. “The simple truth is it’s working.”
