Scammers Purchase Google Ads for Phishing Sites

Abusing Google's services and 302 redirects are among the sophisticated tactics recently adopted by scammers for phishing attacks

A wallet with a horse image
Phishing advertisements mimicking the Rabby Wallet spread a Trojan program

Recently, the cybersecurity team SlowMist has reported a new sophisticated strategy recently adopted by some scammers. In collaboration with the Rabby Wallet team, whose product was impersonated in one of the latest phishing attacks, SlowMist uncovered a new sophisticated scheme utilizing Google ads.

As is typical for phishing attacks, the new tactics employed by criminals aim to deceive users into visiting malicious websites. In the case of the Rabby Wallet impersonation, this led to the download of a Trojan. What is particularly noteworthy, however, is the complexity of the phishing strategy.

According to SlowMist, it "exploits Google’s own Firebase short link service’s 302 redirects to deceive Google’s display mechanism." Consequently, when users entered Google search keywords, they were presented with search results where the top two positions were occupied by phishing ads.

Fake Rabby wallet advertisements
Source: SlowMist

Moreover, at first glance, it appeared that the fake advertisements were redirecting users to the official website address of Rabby Wallet. However, after further attempts at clicking on phishing ads and changing proxies to different regions, the cybersecurity team discovered that the ads redirected to a phishing address, which was continually updated and changed. Thus, the dynamic behavior of phishing links varied based on several factors, including the user’s region and browser type.

Read also: Wallet Drainers Can Bypass Security by Exploiting EIP-712 Normalization

"If the request appears to be from a non-standard browser, it redirects to the official address; if the request seems to be from a normal browser and the region is deemed appropriate, it redirects to a phishing address," explained SlowMist in its report. The temporary redirection of a web page to a different URL, known as 302 redirects, was used to outsmart Google’s display mechanisms and circumvent its stringent certification process for third-party tracking links.

SlowMist provided more details on the process, allowing scammers to trick Google’s security mechanisms by abusing its own services.

The first step required the creation of ad campaigns targeting website traffic on Google Ad Manager, which are aimed to appear as "Search" type ads. Criminals carefully choose specific regions to avoid those where they can fall under scrutiny. To redirect users in a flexible and effective way, scammers utilize Google Ads tracking templates.

Additionally, malicious actors create redirect links that appear legitimate to Google's system by leveraging Google's own Firebase short link service. The process is further facilitated by Google’s vulnerability, which does not check in real-time whether the redirect links have changed. Thus, even though redirect links are initially set up as legitimate, they later change when the ad has already been published for a certain period, and Google does not verify this modification.

The phishing campaign mimicking the Rabby Wallet was intended to expose users to the download button visible on the phishing site, which initiated client verification and redirected to the download website with a Trojan backdoor program if the Mac computer environment was detected. This type of malware gives attackers unauthorized access to the infected computer.

Read also: Web3 Security Jobs: Blockchain Security Industry Specialists Wanted

SlowMist warns the crypto community of a similar scheme being used on messaging apps like Telegram, where malicious links are distributed through chats. Although such applications are designed to display the website preview based on fetched information about the link, including its titles, domain, and icon, not all of these software products can block 302 redirects.

"If users make judgments based solely on the page’s information and then click on the link, they might be redirected to a phishing address," SlowMist emphasizes.