Phishing with Google ads for Google ads users
While trying to log into to google ads, my father noticed a very suspicious link containing Russian text. Let’s investigate!
I decided to repeat his search, from a different part of country, with my ad blocker off, and I got the same ad!
Well, if you know enough to be using google ads, you hopefully wouldn’t click on the link above. However, if you are using Russian Google, the scam ad does not look out of place:
So, what happens when you click on it?
Clicking on the ad takes us to sites.google.com/view/westlake-physitarist/, which contains a lower-resolution screenshot of the normal google ads website.
The webpage was just updated and archive.org does not have a cache of the previous version.
Clicking anywhere on the page takes you to ads-googjle.com (which I don’t suggest you go to!)
How does this website work?
When you enter your username on this website, it does a lookup of the username using heroku.
Once you click “next”, it sends a request to google-lookup.herokuapp.com, with the login name.
If the account name is not found, the google-lookup tool replies with NOT_FOUND being true.
Luckily for people on the internet, and unluckily for me, it seems to return NOT_FOUND:true even when I use a burner google account of mine.
It can be assumed that if NOT_FOUND was false, it would prompt for a password, and walk you through the login process until your account is compromised.
They are even prepared for two factor authentication. Nothing unseen in today’s day and age, but interesting nonetheless.
Alexa does not contain any data for this website as it is only 13 days old (as of May 2), according to a quick WHOIS lookup.
Sadly, the the creator of the website (and presumably the ad as well) was smart enough to register the website without their information. Unless the mastermind behind this scheme was namecheap.org, it is a dead end for me.
How did such an ad get published?
Google sites prevents you from using the word “google” in your site URL, as it is on their list of forbidden words. The displayed website does not actually exist! Additionally, google sites have “/view/” before the actual website name.
When creating a google ad, you are able to put a display URL and a final URL. This is useful for legitimate users to stop excessive forwarding and unnecessary stress on their website.
The requirement for the final URL being different than the display path is that the website must be the same. In this case, the website is sites.google.com in both cases.
After you create an ad, it is paused by default. Here is what our fake ad looks like:
Once you want to make the ad live, it first goes through an automated filter to check for spam/scam websites. Certain categories of ads get tagged for manual review (i.e gambling and medical related ads) which should stop malicious ads like this.
This is a beautiful display of social engineering by the creator of this ad. They know that the average user searching in Russian may glance over the fact that it is not google.com, but rather sites.google.com. Imagine how not suspicious it would look to you if the description was in English!
How should Google fix this?
A quick fix would be to not allow a display path to be different than the actual path (minus the /view/ part) on the sites.google.com subdomain. However, Google probably (and hopefully) has an algorithm far more complex than just “allowed” and “not allowed”.
We can only hope that google’s filters will be tweaked to stop phishing like this soon!
Big shout out to my Dad for noticing the fishy text and sending it to me instead of clicking on it ;)