Summary:
Security researchers at Malwarebytes have uncovered a malvertising campaign targeting Microsoft advertisers with fake Google ads that lead to phishing sites designed to steal login credentials. These malicious ads appear in Google Search results, specifically targeting users searching for terms like "Microsoft Ads." The attackers use various tactics to avoid detection, such as redirecting VPN traffic to a fake marketing site and serving Cloudflare challenges to block bots. This discovery follows a similar campaign that used sponsored Google Ads to target individuals and businesses alike.

Security Officer Comments:
According to Malwarebytes, after passing the Cloudflare checks, users are redirected to a phishing page through a special URL linked to a malicious domain, ads[.]mcrosoftt[.]com. If visited directly, the domain leads to an popular internet meme, "rickroll," However, after bypassing this diversion, real victims are eventually shown a fake Microsoft Advertising login page. The URL mimics the legitimate Microsoft domain (ads[.]microsoft[.]com), and the page displays a bogus error message urging users to reset their passwords, while also attempting to bypass two-factor authentication by convincing victims to enter the code generated by their authenticator application.

Suggested Corrections:
Recommendations from Malwarebytes:

• Verify URLs: Always carefully examine the URL in your browser’s address bar before entering any credentials. Scrutinize URLs for inconsistencies or misspellings.
• Use 2-Step verification wisely: it adds an extra layer of security to your accounts, but you still need to pay attention to requests before granting them access.
• Regularly monitor your accounts: Check your advertising accounts for any suspicious activity such as changes in administrator accounts.
• Report Ads: If you encounter a suspicious ad, report it to for the benefit of other users.

Link(s):
https://www.malwarebytes.com/blog/n...-advertisers-phished-via-malicious-google-ads