Anatomy of a Google Ads Phishing Scam
A new attack vector targeting advertisers
Each year Google highlights its ongoing battle against bad actors in its ad ecosystem, publishing an annual ad safety report that outlines broad themes and enforcement action being taken. Last year’s report, for example, touched on AI and its role in identifying and enforcing policies at scale.
Among the most common threats on search are phishing ads, which trick users into surrendering login details by masquerading as legitimate websites. However, recently at PMG we spotted an example that was not only very convincing, but targeting us, advertisers:
This phishing ad looks identical to the legit ad, until you hit the landing page and notice the full URL is wrong, with the page actually being hosted on https://sites.google.com and redirecting users to a fake login flow on an entirely different domain.
This was picked up by MalwareBytes in a comprehensive blog post which I recommend reading. I want to add some additional context into the mechanics of how this (very effectively) exploits the Google Ads system, from the point of view of someone with a passing interest in web security and professional interest in the Google Ads platform.
The Ad Content
This is a simple one, it seems these groups are just copying and pasting from the official ad, without any clear tells you might expect (such as poorly translated text).
The one small giveaway is the lack of a business logo, with the live examples I've seen using the default globe. This may be due to the speed, as there can be a delay between adding business information into the Google Ads platform and it being approved and appearing. It’s also something that doesn’t ring alarm bells, as even with a logo added and approved it won’t serve 100% of the time.
The one tell would be hovering over the ad and checking the link hover bar. As this is in the bottom left of the screen, it’s not something you would check given everything looks fine:
There is already an Ad Verification process in place for certain types of advertisers (i.e financial services), which was no help in this case!
What makes this different from standard phishing ads is the use of the official Google domain, rather than a more obvious knockoff such as ads.goog1e.com.
Manipulating Subdomains
Whilst it’s not shouted about in the industry, it is possible to change the subdomain displayed in an ad. This can have a surprising effect on clickthrough rates, especially if the landing page is hosted on an unappealing or confusing subdomain:
There is little harm in letting advertisers customise the subdomain shown in their ad, the actual domain remains the same so you always know where you will end up after you click.
This feature becomes an issue when bad actors manage to host their content on trusted domains, as in this case with https://sites.google.com. By manipulating the display URL, they can make it appear as https://ads.google.com, tricking users into believing they are clicking on a legitimate ad.
Single Ad Per Domain Rule
This scam also exploits the fact that Google Ads only allows a single ad per domain into the auction (more on this later), which is generally the one with the highest likelihood to win.
This limit makes complete sense, as otherwise advertisers would simply stack multiple ads on keywords to "own the space", delivering terrible user experience. However, while the majority of Google Ads accounts map to a single domain, this is not always the case.
As an example, a larger advertiser with a full team dedicated to running acquisition campaigns on Google Ads, but their Recruitment team might want to run Google Ads for an upcoming jobs fair. They are not sure of the process, so start their own Google Ads account to promote it.
However, thanks to match types (how close to a user’s search query the keyword needs to be), without care this could lead to both accounts competing for the same search queries. This could mean a recruitment ad instead of an acquisition ad appearing on a core acquisition search query.
Google Ads does not provide any tools to help advertisers identify this conflict. All the acquisition team would see in this example is a drop in clicks with little to indicate why, and the only real way to diagnose the issue from live searches and manual observation.
When multiple ads compete to ‘represent’ a domain, the one with the highest ad rank is typically selected. Simply put, ad rank is determined by a combination of your bid combined with quality and relevance signals.
When multiple ad accounts using the same domain are competing, something like the below will happen. In this instance Scammer #1 has the best chance to win the auction, and is put forward over the other 5 entrants.
In this scenario, a user will not even see the real ad from Google. They only see a single ad with what appears to be the correct domain, and would (fairly) assume this is the genuine article.
But how are these ads being selected above Google’s official account? This comes down to how bidding works in the platform.
Competing In The Auction
This is a big area, but the crux is that Google encourages advertisers to use automated bidding combined with counting conversions.
Rather than use manual bidding (I will pay up to £1 for a click, which I hope will complete a conversion event), instead you define your target cost per conversion (I will pay up to £50 for a given conversion event) and let Google decide how much to pay per click to meet that goal.
This technology works well, with most accounts seeing better results after transitioning away from manual bidding. It would also be fair to assume the official Google Ads account is making use of this technology.
However, if you want to use automated bidding there are a few things you need to consider:
Conversion tracking, allowing Google Ads to monitor the number of times your conversion event occurs.
Minimum data thresholds, with industry best practice to aim for 30 conversion events over 30 days.
A learning/ramp up period of around 7 days, where the system is learning how best to achieve your target.
If you are running phishing ads and speed is of the essence (getting results before being banned / account recovered), these all present a problem. Instead, it's likely that the scammers are using manual bidding, setting an aggressive bid to beat out the official account.
In most cases, advertisers on manual CPC are at a disadvantage, as automated bidding will set a maximum bid based on a range of signals and the likelihood for the click to result in a conversion event.
As a guide, the below visualises effective ad rank for 5 auctions:
The official account is likely to be setting a more sophisticated bid (resulting in a range of effective ad ranks), whereas the fake advertisers are simply setting an aggressive manual CPC based on how much they’re willing to pay per click (constrained by the daily budget they have available, which I won’t go into).
Due to effective ad rank, in 3/5 auctions the fake ad is likely to be chosen above the official ad to represent the google.com domain. This of course applies to every https://sites.google.com advertiser that enters the auction, and it seems like there were several back in January.
Landing Page
MalwareBytes covers this section well so I won’t reiterate, but when you reach the fake landing page (a duplicate of the real thing), you might notice something is off.
The main tell is an inaccurate domain, but there are some slight differences on the page itself and a non-standard login flow once you are sent out from the https://sites.google.com domain.
Is This Still Happening?
As of 03/02/2025 I have not been able to find a live example of these fake ads using the official google.com domain, whereas in mid-January, we spotted several.
Given how legitimate these ads look, it makes sense Google would quickly crack down on this through multiple enforcement measures, given they are hosting both the ad platform and landing pages.
This does raise broader points around protecting all types of users from bad actors. Should there be greater scrutiny on ads that appear for login-related queries? Competitor bidding is a thorny subject, but impersonation is completely different. It will also be interesting to see this year’s ad safety report and how Google has been using AI to better stay ahead of those looking to exploit their systems (although as this case shows, it’s a constant battle.)
Whilst bookmarking helps protect against vectors like this, user behaviour is never “perfect”, and hosting indistinguishable phishing ads like these is a serious risk.
As with anything on the internet, always be careful on what you click on!