How scammers took over Google Ads with malvertising

by | Feb 3, 2023 | Business, Security, Web

A desktop computer showing a lot of spam and pop-up ads moving on the screen

The shiny new phishing tactic on the block is malvertising, or the efforts of threat actors to mimic a legitimate company’s website, landing pages, URL, and more. Google Ads has recently come under fire for their handling of final destination URLs, and the relative ease hackers have had mimicking legitimate websites and scoring top ads positions.  

Password managers like Bitwarden and 1Password have both reported being the targets of malvertisements. Users of both platforms report that searching for their password manager online results to official-looking and completely false Google Advertisements.  

Consumers are used to seeing companies in the top ad spots on Google. It seems ubiquitous that a company pays to advertise their name, even if they would hold the top spot for that search regardless. Threat actors use this habitual presumption to gain an Internet user’s trust. There have also been reports of hackers being able to display a legitimate URL until the ad is clicked.  

1Password and Bitwarden, two popular password managers, have both cited their concerns with this name-spoofing that can happen in the top spots of Google Ads. “” was the phony URL in this instance. From appearance alone, however, the threat actors were able to recreate Bitwarden’s website in a near copy. Creating a copy of the target’s website is a vital piece of t 

In this particular attack, the hackers’ aim was for a user to put in their login information on their spoof website. However, unknowingly clicking on a malicous link could be the hackers’ goal, with malicious software ready to deploy.  

How can a threat actor mimic and claim legitimate domains in their Google Ads? Critics, advertisers, and companies alike are asking this. There are a few possibilities.  

At one point, Google allowed an Advertiser to display a different URL than what the final URL, the actual address of the link, would be. However, this has been impossible for the past few years, with Google recently allowing only the link paths to be changed.  

In an IDN Homograph Attack, a threat actor uses another character set to claim a domain that may appear identical to the real character. Google Ads would recognize this as a separate domain to the company being mimicked. IronGeek has a free tool that allows people just how easy it would be to create a homograph.   

An update released in January 2023 from Google sent to Advertisers reveals their most recent efforts to lessen malicious campaigns: 

Notice from Google to Advertisers about a change in policy. | SpireTech in Portland, OR

In other words, they are clarifying their policies in order to more easily crack down on threat actors. If Google Ads are paying attention to the voiced security threats as well as the concerns of paying advertisers, then this will include those who spoof domain names for nefarious purposes.