PhishLabs By HelpSystems Identifies Phishing Campaigns That Are Abusing Google Ad Click Tracking Redirects

PhishLabs by HelpSystems has identified attackers leveraging a weakness in Google’s ad service to carry out phishing campaigns on U.S. and Canadian Financial Institutions. This weakness abuses the fact that the URL shown in Google Ads is not the linked site but rather the final destination, including redirects. By leveraging conditional redirects, the attackers create ads that appear legitimate but will redirect to hostile sites.

In these attacks, both ad text and link hovering falsely state the user will be redirected to the targeted organization’s legitimate site. When the user clicks on the ad, they are routed through multiple redirects before landing on a phishing page. 

Malicious Google Ad 

Legitimate click tracking redirects begin at Google Ads and are routed through numerous click trackers before landing at their desired destination. Google Ads display the user’s final landing page due to client preference that the ad link not display the click tracker. In these attacks, threat actors create their own redirects, which they set up to lead to the legitimate site. 

When Google traces the redirects, they see the appropriate site and will have the Ad display the legitimate URL. Threat actors then configure the redirect to use certain criteria such as geo location to direct certain users to a phishing site. These campaigns are potentially utilizing other obfuscation techniques to evade detection by Google, as well.

In the example below, attackers have incorporated a redirect that is not only malicious, but also contains logic that will hide its true destination. When Google attempts to determine where the user will land, they see a legitimate credit union site. As a result, they will only display the credit union URL. If the end user clicks on the ad, they will instead land on a different site that is malicious. In this case, the redirect would only display the phishing site if the user IP was based in Minnesota. 

Stacy Shelley, VP of marketing for email security and digital risk protection at PhishLabs by HelpSystems, says:

“It used to be the case that when you hover over a Google Ad, you would see a Google tracking link, and that made it very easy to abuse. So, Google started processing all the redirects until it gets to the final landing page. If the page is legit, the ad will be published with the final landing page as the hover link (no redirects displayed).

“What we’re seeing indicates there are weaknesses in that process that threat actors are exploiting. They use conditional geolocation logic to present the legitimate landing page when Google scans their ad. Google publishes the ad and displays the legit landing URL on hover. As a result, you get a more convincing ad experience (no odd URL) that still redirects targeted victims to a malicious site.”

PhishLabs Actions 

PhishLabs has technology in place to monitor Google Ads for malicious content targeting its client base. With the recent change in behavior, the company is in the process of enhancing detection capabilities for these threats. 

PhishLabs is actively working with Google and providing information on the behavior observed to reduce the prevalence of these threats and sharing live threat examples as they are detected. Google is also working on implementing preventative measures. 

Thanks to PhishLabs By HelpSystems for supplying me with all of this information so that I could present it to you.

Leave a Reply

%d bloggers like this: