Update, Feb. 3, 2025: This story, originally published Jan. 31, now updated with a statement from Google regarding the Microsoft password-stealing campaign.
There are myriad ways to steal passwords. From sophisticated AI-driven attacks against Gmail users, to invisible hacking threats, and fake CAPTCHA tests. What you might not expect, however, is a hacker to deploy Google against Microsoft users in order to access account passwords. But when it comes to cybersecurity, you should always expect the unexpected—here’s what you need to know.
Security researchers at Malwarebytes seem to have the knack when it comes to uncovering devious hacking attacks that target account passwords using malicious advertising as the stepping stone to credential theft. I recently reported how a “perpetual hack attack” identified by Jérôme Segura, senior director of research at Malwarebytes, saw hackers disguise themselves as fake Google Ads login pages to fool advertisers, who were then phished for their account credentials. Now, it seems a similar attack has been ongoing that targets Microsoft advertiser accounts by way of fake adverts turning up on Google search. “These malicious ads, appearing on Google Search,” Segura said, “are designed to steal the login information of users trying to access Microsoft’s advertising platform.”
It’s no secret that there’s an ongoing business bun-fight between Google and Microsoft when it comes to the advertising ecosystem, and Microsoft purchases ad space from Google in order to earn clicks from those searches. What the Malwarebytes researchers discovered, however, was that sponsored results on Google for searches of Microsoft Ads returned ads containing malicious links that had slipped through Google’s strict protections. “We have reported these incidents to Google,” Segura said, and I have reached out to Microsoft for a statement.
“We expressly prohibit ads that aim to deceive people and we suspend advertisers’ accounts if they are found to engage in this practice, as we have done here,” a Google spokesperson said.
Segura recounted how threat actors are “using different techniques to evade detection and drop traffic from bots, security scanners and crawlers.” Anyone using a VPN is directed to a “white page” that contains bogus marketing, while “genuine” users are redirected to a cloaking page that requires an “Are you human?” verification check. Finally, they get redirected to an entry page for a malicious domain impersonating the Microsoft ads platform login. “The phishing page gives users a fake error message enticing them to reset their password,” Segura warned, as well as attempting to bypass any two-factor authentication protections.
Segura said that this could just be the tip of a very concerning iceberg, with accounts other than Google Ads and Microsoft Ads being targeted to steal passwords. “These recent malvertising campaigns highlight the ongoing threat of phishing through online advertising,” Segura concluded, “While tech companies like Google work to combat these issues, users must remain vigilant.”
Segura recommend the following mitigation approaches:
When I last reported on these types of attacks that use malvertising as a route to stealing your passwords, Google told me that it has a misrepresentation policy that doesn’t allow advertisers to run advertisements that scam users, whether by concealing information about the advertiser’s business, product or service in question. Google has specialist teams in place to monitor infringements and told me, for background, that they are aware of these malicious ad campaigns and continue to take enforcement measures against them. Both malicious adverts and associated accounts are actively reviewed, and appropriate actions are taken as a consequence.
One Community. Many Voices. Create a free account to share your thoughts.
Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.
In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.
Your post will be rejected if we notice that it seems to contain:
The user accounts will block if we realize or that users are compromised:
So how can you be a difficult user?
Thanks for reading our network directives. Please read the complete list of publication standards discovered in the situations of use of our site.