Ads make the internet go round. And nobody does more with online ads than Google.
Google is the leading ads provider on the Internet, and companies large and small–including this one–use their services.
It’s simple and straightforward, and a great way to get the word out about your company or product.
Hackers are also utilizing it as a way to redirect users to malicious sites of interest.
In this attack brief, Harmony Email Researchers will discuss how hackers are including URL redirects within Google ads to lead end-users to malicious sites.
Attack
In this attack, hackers are placing URL redirects in Google ads to direct users to malicious sites
- Vector: Email
- Type: Malicious URL
- Techniques: Social Engineering, Impersonation, Credential Harvesting
- Target: Any end-user
Email Example
This email actually starts as an impersonation of a Microsoft voicemail. The hope is that by seeing a missed voicemail, the user will click. Eagle-eyed end users, however, will see that the URL has nothing related to Microsoft. It has a Google ads URL. This is where the re-direct begins.
The image above showcases the website and the source code. This phishing page has been taken down. But when looking at the source code, we can see a few things.
It starts with this: http://googleads.g.doubleclick.net/aclk?
This is the base URL for Google Ads' click tracking and redirection service.
Next, you’ll notice more in the URL string:
sa=L&ai=CmBRS6TOcUvTZBovMigfX94GACYCTocQEuKWxkX-x0vmLARABIOP7kwNQifqY-_z_____AWDhBMgBBOACAKgDAZgEBaoE1AFP0ALgkjZKVvUxSnSuWkeFSFNffuSO5dCnJMIGyIkqDFkRF8eYaufj8cYni9vHgnB0CoavOE6xpbEJmyHHBwAlPz_d2FGbLThMxet7Jwa1ttuG-Ra-Z3qiGcP1AtbBPaaVhems6qZaEuh5uW_6frHsKFj9JzFXCosy_lymdkYusUwrP4KYWqLKBgq3JKhZ9M1TQJCl4-cS8QqW3Q86fNDN_C5pos5PCMbpO8ksttqfLva6pZ2B50C3gFXrFkqMlJtHotMjxk4BAcY6chemGQkjY7eFUuAEAaAGGYAHoJvBIQ&num=1&sig=AOD64_02ou2n7YbGVaREeu0Sada57olJYw&client=ca-pub-6219811747049371&adurl=//tinyurl%2ecom/5n8xt2mf?eq1=anZlcmJldGVuQGJrZC5jb20=
These are the parameters used by Google Ads for tracking and analytics purposes, as well as the destination URL where the user will be redirected.
Instead of placing a business URL, the hacker places the TinyURL. That’s where the end-user will go, and in this case, it’s a malicious site.
adurl=//tinyurl%2ecom/5n8xt2mf?eq1=anZlcmJldGVuQGJrZC5jb20=
Essentially, attacks are setting up a campaign using Google ads, and placing the redirect link on the URL
Techniques
Hackers will continue to use legitimate services to send phishing and malware.
That’s because it’s incredibly difficult for security services to stop and for end-users to spot.
By leveraging the trust and legitimacy of services like Google Ads, hackers are having a successful time getting their intended URL or payload to users.
In this case, by sneaking in a URL redirect into the parameters of a Google Ads script, the hackers can insert want they want with little notice.
We’ve seen examples of this in plenty of legitimate brands, like PayPal and QuickBooks. We call it BEC 3.0, the evolution of this most popular attack. Instead of spoofed CEOs or partners, this attack form references legitimate, not spoofed, sites.
We believe this is a true evolution in how hackers are operating. We predict that, by year’s end, this attack will become more and more popular.
And, we predict, more and more damaging.
Check Point informed Google of this research on July 5th via email.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Implement security that uses AI to look at multiple indicators of phishing
- Implement full-suite security that can also scan documents and file
- Implement robust URL protection that scans and emulates webpages
