Feb 01, 2025Ravie LakshmananMalvertising / Mobile Security
Researchers studying security have discovered a malicious plan that targets Microsoft advertisers with fictitious Google ads that point them to phishing websites that can spook their credentials.
” These malicious advertising, appearing on Google Search, are designed to take the registration details of people trying to access Microsoft’s advertising platform”, Jérôme Segura, senior director of research at Malwarebytes, in a Thursday statement.
The findings were made a few weeks after the security firm revealed a similar plan that used sponsored Google Ads to targeted individuals and businesses through the search giant’s advertising platform.
Customers who search for words like” Microsoft Ads” on Google Search are the target of the most recent set of problems, attempting to deceive them into clicking on harmful links that appear in sponsored advertisements in search results pages.
The threat actors behind the battle also use a number of methods to obstruct recognition by security tools. This includes moving traffic from VPNs to a fake selling site. Additionally, site visitors are given Cloudflare challenges in an effort to screen out bots.
People who attempt to access the final landing page ( “ads. mcrosoftt [. ] They are ricked by a redirect to a YouTube video that contains a prominent internet image.
The phishing page has a lookalike appearance compared to its legitimate counterpart ( “ads. microsoft [. ] com” ) that’s designed to capture the victim’s login credentials and two-factor authentication ( 2FA ) codes, granting the attackers the ability to hijack their accounts.
Malwarebytes claimed to have found more phishing infrastructure that targets Microsoft accounts dating back a few years, which suggests the campaign has been going on for some time and that it may have even targeted other advertising platforms like Meta.
Another important feature is that the majority of phishing domains are either hosted in Brazil or have the” .com” extension. lms” Brazilian top-level website, drawing parallels to the campaign aimed at Google Ads users, which was mostly hosted on the” .pt” TLD.
Although The Hacker News reached out to Google for comment, the company recently disclosed to The Hacker News that it is constantly working to impose countermeasures against like efforts and that it takes steps to stop ads that try to trick users with the intention of stealing their information.
Smishing Strikes Impersonate USPS
The disclosure comes in response to a new SMS phishing scheme that purports to impersonate USPS ( USPS) recipients only in order to target mobile device users.
In a statement released this week, Zimperium zLabs scientist Fernando Ortega claimed that” this campaign uses complex social engineering techniques and a never-before-seen means of obfuscation to deliver harmful PDF files intended to steal credentials and bargain sensitive data.
In order to complete the delivery, the messages ask recipients to release their address in a PDF file that comes with the delivery. Provide within the PDF file is a” Press Update” box that directs the victim to a USPS phishing web page, where they are asked to enter their email address, email address, and phone number.
The phishing page is also equipped to obtain their credit card information under the guise of a service fee for redelivery. The data is then encrypted and sent to a remote server that is under the control of the attacker. As many as have been detected as part of the campaign, indicating a large-scale operation.
Ortega noted that the PDFs used in this campaign embed clickable links without using the industry standard /URI tag, making it more challenging to extract URLs during analysis. This technique made it possible for several endpoint security solutions to find malicious URLs in PDF files without being detected.
The behavior demonstrates that cybercriminals are launching social engineering attacks that make money off of users ‘ trust in well-known brands and official-looking communications by exploiting security gaps in mobile devices.
Similar USPS-themed smishing attacks have also utilized Apple’s iMessage to deliver the phishing pages, a technique known to be adopted by a Chinese-speaking threat actor, .
Such messages also deftly attempt to omit a safety precaution from iMessage, which prevents links from being clicked unless they are from a known sender or a user replies to an account. This is accomplished by including a” Please reply to Y” or” Please reply to 1″ message in a bid to turn off iMessage’s built-in phishing protection.
It’s worth noting that this tactic has previously been linked to a phishing-as-a-service ( PhaaS ) toolkit, which has been extensively used to target postal services like USPS and other well-established organizations in more than 100 nations.
Huntress researcher Truman Kain ,” The scammers have constructed this attack relatively well, which is probably why it’s being seen so frequently in the wild.” ” The simple truth is it’s working”.
Found this article interesting? Follow us on and Twitter to access more exclusive content.