Fraudsters abused Google’s ad network to redirect users searching for popular brands to a network of tech-support scam pages, effectively hijacking browser sessions through malvertising. The operation used cloaking, multi-stage redirects, and iframe-based browser lockers hosted on cloud platforms to deliver the scam while showing legitimate-looking URLs.
#GoogleAds #Cloaking #Malvertising #BrowserLocker #CloudFront #DigitalOcean #Azure #Walmart #YouTube #Facebook
#GoogleAds #Cloaking #Malvertising #BrowserLocker #CloudFront #DigitalOcean #Azure #Walmart #YouTube #Facebook
Keypoints
- Campaign uses Google’s ad network to bid on popular keywords and typos, steering users toward malicious content.
- Victims often click the first search result (ad or organic), enabling redirects to attacker infrastructure.
- Cloaking disguises the true destination by presenting a legitimate domain while content is served from attacker-controlled infrastructure, violating Google policies.
- Malicious traffic flows involve multi-stage redirects and an iframe-based browser locker, with decoy pages that mimic legitimate sites.
- Attackers diversified infrastructure across paid VPS, disposable domains, and various cloud platforms to resist takedowns.
- The campaign ran for weeks with high exposure, and protections were available via Malwarebytes and Browser Guard’s gTLD blocking.
MITRE Techniques
- [T1189] Drive-by Compromise – The threat actors abuse Google’s ad network to redirect visitors to an attacker-controlled infrastructure. “The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos.”
- [T1036] Masquerading – Cloaking to present legitimate domain while content is loaded from attacker infrastructure. “Cloaking is considered a violation of Google’s Webmaster Guidelines because it provides our users with different results than they expected.”
- [T1027] Obfuscated/Compressed Files and Information – Redirection mechanism engineered to be difficult to analyze statically. “The redirection mechanism is engineered in such a way that static analysis of the HTML code is difficult and does not give away the browser locker URL easily.”
- [T1583] Acquire Infrastructure – Attackers used multiple cloud platforms and disposable domains; diversification to host malicious content. “Specifically, we see the threat actor using more expensive domains mixed with disposable domains on shady TLDs… diversified between paid VPS on hosting companies and free cloud providers (PaaS).”
- [T1204.001] User Execution: Malicious Link – Users click on ads, leading to malicious content; victims rely on search results to reach sites. “Victims were simply trying to visit those websites and relied on Google Search to take them there.”
Indicators of Compromise
- [Domain] Cloaking/malvertising infrastructure – gettouy[.]org, ssgvbcxcc[.]ga
- [IP Address] Browser locker host – 159.203.183[.]136