Ad-ventures: Investigating the Misuse of Google Ads in Malvertising Campaigns


In the sprawling extent of the internet, Google Ads has become a beacon for businesses looking for a digital presence. Its ability to connect products and services with prospective customers is unrivaled. However, the exact mechanisms intended to foster commercial success have been hijacked by threat actors.

These attackers use Google Ads to conduct malvertising and phishing campaigns, skillfully concealing risks behind seemingly genuine ads. This hidden underworld of digital advertising endangers unknowing individuals while jeopardizing internet platforms’ integrity. As we work through the complexities of these deceptive activities, it’s critical to grasp the implications for both individual security and the larger internet ecosystem.

What is Malvertising?

Malvertising, an acronym for “malicious advertising,” is the practice of injecting malware into digital advertisements. Cybercriminals can disguise their malware as legitimate commercials using platforms such as Google Ads thanks to its broad reach and sophisticated targeting capabilities.

These advertisements appear on trustworthy websites without the site owner’s knowledge or that of the advertising network. When users click on these advertisements, they are unknowingly exposed to malware, which can result in data theft, ransomware, and other cyber risks.

Malvertising with Google Ads works by having a threat actor create an advertisement that appears benign on the surface. This advertisement, however, has malicious code or malicious laced files/pdf’s/APK’s. When accepted, the ad is displayed throughout Google’s extensive advertising network, including websites, videos, and apps that millions of people trust and use daily, thus leading to privacy invasion, potential identity theft, and the compromise of personal devices and personal identifiable information (PII).

Real-World Example

The researchers at Bolster found a pattern on the CheckPhish platform, where multiple brands were targeted by misusing Google Ads to make the user click on their website/link instead of the legitimate website.

How it Works

Cybercriminals are taking advantage of Google’s advertising network by purchasing advertisement spaces for frequently searched keywords and related misspellings. (It is common for consumers to run a search engine query and perform a quick search for a desired website without typing the full URL.) Users frequently click on the first link displayed in the search results, regardless of whether it is an advertisement or an organic ranking.

Keyword Hijacking: Advertisers buy advertising for popular keywords and common misspellings to target visitors looking for legitimate services or products.

Ad Content Mimicry: Malicious ads closely resemble genuine ads’ graphic and content styles, deceiving consumers into believing they are clicking on a trustworthy link.

Malicious Landing Pages: When users click on the ad, they are directed to landing pages that may include malware, collect personal information, or deceive them into fraudulent transactions.

Use of Redirects: To avoid detection, these campaigns frequently use several redirections, taking the user through several domains before arriving at the ultimate malicious website.

Exploiting Trust in Google’s Platform: By utilizing the credibility associated with Google Ads, attackers obtain a sense of legitimacy, increasing the effectiveness of their malvertising efforts.

An example of amazan[.]com is demonstrated below, which leads to downloading and installing a fastblock application having a serving IP of 178[.]128[.]246[.]195.

Amazan[.]com leading to download adblocker, which is malicious
Numerous brands, including but not limited to Amazon, Adidas, Notion, and Weebly, have been targeted in malvertising campaigns aimed to deceive unwary consumers. An example comparison of how Adidas has been impacted is shown below.

Side-by-side comparison of websites
Side-by-side comparison of websites


As noted here, “A growing body of evidence from industry, MITRE, and government experimentation confirms that collecting and filtering data based on knowledge of adversary tactics, techniques, and procedures (TTPs) is an effective method for detecting malicious activity”

Said differently, understanding the tactics and techniques is critical for creating strong security measures and preventing potential threats.

The Mitre TTP is given below:

ID Tactic Technique Procedure
T1583.008 Resource
Spoofed adverts might mislead users into clicking on them, which may subsequently redirect them to a malicious domain that is a clone of legitimate ones carrying trojanized versions of the advertised software.
T1189 Initial Access Drive-by
A legitimate website is infiltrated when adversaries add malicious code such as JavaScript, iFrames, or cross-site scripting. Malicious advertisements are paid for and served by genuine ad networks.
T1608.004 Resource
Drive-by Target
Adversaries may set up an operating environment to infect systems that visit a website during routine browsing. Endpoint systems may be hacked by surfing to adversary-controlled websites.



Impact & Mitigation

Impact Mitigation
Malvertising through Google Ads can increase the frequency of security breaches, exposing sensitive user and corporate data to unauthorized access. Report fake ads on the following websites:
Facebook: Support Page
Instagram: Support Page
Google: Support Page
Loss of trust and reputation, financial loss. Use ad-blocking software to keep fraudulent advertisements from being displayed.


Though advantageous, the swift shift to digital platforms presents numerous prospects for cybercriminals skilled in taking advantage of weaknesses for malicious advertising operations. These deceptive efforts provide an outlet for the stealthy collection of sensitive information, posing significant hazards to individuals and businesses. Malvertising is a more subtle threat, collecting and distributing personal and financial information without detection and frequently overcoming traditional security measures.

Proactive investigation and vigilant monitoring are critical for detecting and limiting the efforts of individuals behind malvertising campaigns, especially when new methods of attack arise. Our analysis emphasizes the significance of maintaining ongoing monitoring and developing forward-thinking measures to combat these dangers.

Bolster’s anti-phishing and domain monitoring technology protects your business from evolving phishing threats. With continuous scanning technology that quickly identifies threats and misuse of your branded assets, you can trust Bolster will protect your business.

See Bolster in action when you request a demo.



Advertisement on cybercrime forum on darkweb
Sample of dashboard indicating traffic and sales on ads shared by threat actor


Advertisement on cybercrime forum on darkweb