“Come for the Ads, Stay for the Phish: How Cybercrooks Turned Google Against Itself”

Picture yourself cruising the pleasant boulevards of the internet, happily believing that all is safe in the land of Google. You type in a search, blink twice, and—behold!—there’s an advertisement for Google Ads, perched right at the top, beaming with corporate pride. How comforting, you think, Google advertising its own service. Except, of course, it’s not really Google Ads. It’s a phishing page so masterfully disguised it could fool Sherlock Holmes under bright fluorescent lighting. In other words, it’s your garden-variety ironically brilliant, morally bankrupt cybercriminal scheme.

That’s right, criminals have apparently decided there’s no better place to be devious than on Google itself. It’s like setting up a lemonade stand on the front steps of City Hall to sell contraband lemonade—deliciously brazen, if you will. They’ve parked their little phishing pages on Google Sites, so that unsuspecting advertisers see a link as shiny and official as an Olympic medal. And because the domain is “sites.google.com,” this cunning carnival of fraud can parade around claiming it’s “totally and definitely Google,” giving you that warm, fuzzy feeling that you’re in the right place…right before it steals your login credentials.

According to those who’ve fallen for this trick (and lived to tell the tale), once your precious Google Ads account details are handed over to these modern-day pickpockets, you’re whisked through a multi-step fiasco involving suspicious cookies, out-of-the-blue login alerts from exotic locales, and—best of all—a convenient new “administrator” for your account. Imagine that: a bonus, uninvited caretaker who promptly changes the locks and starts spending your money like a tipsy tourist in Las Vegas.

We have at least three sets of overly ambitious criminals in this frantic global jamboree: Portuguese-speaking miscreants (likely hailing from Brazil), cunning Asia-based masterminds, and a group that, for all we know, could be Eastern European oligarch wannabes. Their ultimate plan is to nab your accounts, run them into the ground with shady advertisements, or flip them for profit on underground forums brimming with wide-eyed buyers. It’s effectively a tag-team of cyber-thieves chanting “Two-for-one Google Ads accounts, get ’em while they’re hot!”

Meanwhile, Google states (in a tone that suggests they’re mildly flabbergasted by the nerve of it all) that it strictly prohibits ads intended to hoodwink innocent advertisers. They’ve removed millions—nay, billions—of offending ads over the past year. But apparently these criminals didn’t get the memo. Because here they are, more persistent than a telemarketer during dinnertime. The brazen perseverance is, in a backhanded way, rather admirable—if you admire the type of person who’ll steal your wallet and then help you look for it.

In the ultimate twist of irony, many advertisers don’t dare use ad-blockers because they need to verify their own ads. Who could have guessed that good business sense would also make you a prime target for scammers? It’s as if you’re forced to keep the windows open to let in the sunshine, all the while knowing the neighborhood raccoons are fiendishly plotting to rummage through your refrigerator. But fear not: Google is on the case, investigating and working quickly—one must hope—to knock these crafty ads off the face of the web. Until then, keep an eye out for suspicious links, use two-factor authentication, and always remember the cardinal rule of the internet: if something looks too official to be true, it very well might be.