Hackers have been detected abusing a Google Ads feature to deliver adult websites and infostealing (opens in new tab) websites to unsuspecting victims.
Google Ads, the search engine giant’s advertising platform, has a feature allowing users to invite other people to the account administration interface.
The invitations get sent via email, from Google’s official email address – firstname.lastname@example.org. As these emails are technically sent by Google, email security services see them as legitimate and let them pass, so most of them end up in the victims’ inboxes, rather than the spam folder, or similar.
Collecting personal data
The URLs being shared with these emails redirect the recipients to “dodgy websites” that host adult content. Some websites “appear to be designed to collect personal information from visitors”. More details were not shared.
In any case, people have taken to Reddit and other forums to share their stories and their frustration with Google, the publication further states. “It would be nice if Google would get a handle on their products so their users aren’t having to constantly guard against phishing scams,” one user was cited saying.
Google, on the other hand, seems to be aware of the creative way its tools are being abused and is doing something about it. How long before we see the results of that work, remains to be seen:
“Our security teams are aware of this spam content and are working hard, as always, to stay ahead and keep our users safe,” a Google spokesperson said in a statement to BleepingComputer.
“We have strict Google Ads policies against misrepresentation and have taken appropriate action. We encourage users to report messages when they receive emails containing spam links to help us take appropriate action on accounts involved in the spam.”
Via: BleepingComputer (opens in new tab)