How Attackers Are Exploiting Google Ads To Serve Up Spam And Illicit Websites
The Google Ads platform, which places ads on sites all cross the Web, gives admin users the ability to invite other Google users to manage their Google Ads accounts. These invitations are sent over email by an official Google email address: ads-noreply@google.com. What some bad actors seem to have figured out is that these emails conveniently pass through Gmail’s spam filters, since Google doesn’t filter emails sent from its own domain.
These Google Ads account access invitations include links to the website associated with each account, prompting recipients to click through to said website. The websites linked in these spam invitations display lewd images and ask visitors to enter their information to see more. Any information collected by these pages will most likely be exploited for nefarious purposes.
In a statement to BleepingComputer, a Google spokesperson said, “Our security teams are aware of this spam content and are working hard, as always, to stay ahead and keep our users safe. We have strict Google Ads policies against misrepresentation and have taken appropriate action. We encourage users to report messages when they receive emails containing spam links to help us take appropriate action on accounts involved in the spam.”