Agency buyers who manage portfolios of Google Ads and Merchant Center accounts are being targeted by sophisticated scam artists who hijack those accounts, drain client funds and sometimes lock out admins for weeks or even months.
That’s according to three ad buyers who spoke with AdExchanger anonymously for fear of potential reprisals by Google.
This problem isn’t exactly new, though.
The three agency execs who spoke with AdExchanger each had their accounts taken over between August and October. But similar fraudsters have been active since at least late last year, when cybersecurity business Malwarebytes first documented the issue and when an entirely different set of advertisers told AdExchanger they had suffered from account lockout attacks.
Last year, the attack vector came via fraudulent Google Search links. It’s a common practice – albeit a bad one – that people will type snippets like “Google Merchant Center” or “google account login” into a search bar and then click the first result on the page.
Usually, that’s a sponsored or organic link that leads to the real login page. But scammers would create convincing fake Google sign-in pages and make the sponsored link text appear as “ads.google.com” to capture traffic. When buyers inputted their username and password, they’d encounter what looked like the usual two-factor authentication request, but it would actually be coming from out of the US, most often Brazil. Buyers often didn’t notice and approved the two-factor login.
Oops.
Once the scammers get access, they lock everyone else out of the account and funnel the money back to themselves as well as spend it on phishing ads, while covering their tracks by erasing all campaign and reporting data.
Phase two
But the newer takeover scams reported to AdExchanger didn’t come via Google Search.
Two of the agency buyers said they’re confident that Gmail is the root of the problem in this case. One buyer said they believe their account was likely hacked using a Gmail ad, while the other said the attack stemmed from a phishing attempt disguised as a Google Merchant Center customer service request.
Another theory is that the attacker seized accounts via a Salesforce integration.
Google itself warned advertisers about another attack vehicle for a similar fraud strategy. An October blog post documents a cluster of “threat actors” in Vietnam that were taking over Google advertiser and merchant accounts through fake job listings and ads. Those fraudsters targeted part-time, freelance or contract ad buying pros who had access to account systems on their laptop or phone.
Once the malware was delivered, those accounts would be hijacked in much the same way.
But, according to Google, these things happen and when they do, it deals with them.
“Just like consumers, our Ads customers can face threats from bad actors looking to gain access to their accounts, which is why we use advanced techniques to stay ahead of these evolving tactics,” a Google spokesperson told AdExchanger. “If an account is compromised, our dedicated teams work to secure it, restore advertiser access and issue credits as necessary.”
What exactly is going on now?
The newest iteration of Google account takeover fraud via Gmail and/or other integrations is more difficult to pin down compared to the attacks from late last year and early this year. Those were immediately and accurately diagnosed by agencies.
The advertisers involved in these recent attacks were uncertain about the origin of the malware they were attacked with.
As one advertiser put it to AdExchanger, the tactics used by the scammers are “black-boxed,” because there is very little support or documentation forthcoming from Google about how the attackers got in or what they did in the accounts afterward.
All three execs who spoke with AdExchanger said they were the ones who first alerted Google to the problem and not the other way around. Each still has client accounts their agency can’t access, so they can’t set up or run any new campaigns, even though the fraudsters have already been banished from those accounts.
In terms of where the money went, none have been updated by Google or found evidence in their accounts.
“They must know on the back end exactly where that fraudulent money was spent,” one agency exec told AdExchanger. But, there’s no doubt that some portion of the spend goes toward perpetuating the fraud. The next victim’s malware is delivered via Google Search ads or Gmail ads, and these ads are paid for by the current victims.
But all three execs have their own different theories about what else the money might have been spent on. For example, one agency buyer said an affected account had spent at least part of the client’s budget on click-based ads leading to other sites, which he suspects are scammy sites where the fraudster is collecting ad spend as a publisher.
None of the others have seen campaign reports or anything that documents the illicit spend.
The losses
It also remains unclear how many legit advertisers remain locked out of accounts.
One exec whose agency was affected said they’ve kept the matter hush-hush so as not to cause a stir and because “we spend a considerable amount of money with Google, so we need to walk a fine line in terms of how we deal with them.”
Given how much these agencies spend with Google each year – and how much they’ve lost to fraudsters – you’d think they’d be entitled to at least basic customer service as a matter of course. But, actually, they have to work for it.
The main priority for agency buyers is to protect and maintain the human customer support contacts they’ve managed to make at Google through blood, sweat and tears. They’re concerned that publicly complaining about the issues they’re experiencing on Google’s platform could leave them stuck with a cold shoulder or a chatbot that’s incapable of completing a ticket.
For a sense of scale, two of the agency execs claim they lost millions to fraud within their Merchant Center accounts, none of which has been refunded. Another said that because their daily budgets were relatively low, in the tens of thousands of dollars, total losses were below $1 million.
However, recouping ad credits is “actually secondary to getting account access back,” said one exec. He added that he’s confident his agency will someday recoup at least part of those fraudulently misappropriated millions in the form of ad credits once the primary issue is dealt with.
Another agency leader who saw takeover scammers spend millions of dollars in client budgets said his agency spends a nine-figure sum on Google media per year. Being such a big spender has helped the agency get some human support, they said, but “there really is no way to escalate above a low-level human.”
Some advertisers, meanwhile, have no hope of recouping ad credits.
After all, one acknowledged, these unfortunate situations do come down to user error. Someone trusted a Google Search ad or a Gmail ad and actively approved of a two-factor authentication request coming from a different country or continent.
“Google didn’t let them in,” one agency buyer said of the scammers. “Someone over here effed up.”
On the other hand, Google profits handsomely from the situation. Not only are scammers using Google’s platform tools to buy Google media, brands refill their accounts with more ad budget. In fact, all three agency execs said they’ve mostly already covered their clients’ losses. If Google refunds an agency or advertiser, it does so only in part and only in the form of Google ad credits.
Which is related to what one agency exec said is the most frustrating aspect of account takeover fraud.
Months after the account takeovers were first reported to Google and the fraudsters were booted out with all new passwords, logins and two-factor credentials, one of the agency execs that AdExchanger spoke to said their business remains “frozen” with some of its most important clients.
“The lack of urgency on [Google’s] part has been pretty crazy,” they added.
Agency buyers who manage portfolios of Google Ads and Merchant Center accounts are being targeted by sophisticated scam artists who hijack those accounts, drain client funds and sometimes lock out admins for weeks or even months.
That’s according to three ad buyers who spoke with AdExchanger anonymously for fear of potential reprisals by Google.
This problem isn’t exactly new, though.
The three agency execs who spoke with AdExchanger each had their accounts taken over between August and October. But similar fraudsters have been active since at least late last year, when cybersecurity business Malwarebytes first documented the issue and when an entirely different set of advertisers told AdExchanger they had suffered from account lockout attacks.
Last year, the attack vector came via fraudulent Google Search links. It’s a common practice – albeit a bad one – that people will type snippets like “Google Merchant Center” or “google account login” into a search bar and then click the first result on the page.
Usually, that’s a sponsored or organic link that leads to the real login page. But scammers would create convincing fake Google sign-in pages and make the sponsored link text appear as “ads.google.com” to capture traffic. When buyers inputted their username and password, they’d encounter what looked like the usual two-factor authentication request, but it would actually be coming from out of the US, most often Brazil. Buyers often didn’t notice and approved the two-factor login.
Oops.
Once the scammers get access, they lock everyone else out of the account and funnel the money back to themselves as well as spend it on phishing ads, while covering their tracks by erasing all campaign and reporting data.
Phase two
But the newer takeover scams reported to AdExchanger didn’t come via Google Search.
Two of the agency buyers said they’re confident that Gmail is the root of the problem in this case. One buyer said they believe their account was likely hacked using a Gmail ad, while the other said the attack stemmed from a phishing attempt disguised as a Google Merchant Center customer service request.
Another theory is that the attacker seized accounts via a Salesforce integration.
Google itself warned advertisers about another attack vehicle for a similar fraud strategy. An October blog post documents a cluster of “threat actors” in Vietnam that were taking over Google advertiser and merchant accounts through fake job listings and ads. Those fraudsters targeted part-time, freelance or contract ad buying pros who had access to account systems on their laptop or phone.
Once the malware was delivered, those accounts would be hijacked in much the same way.
But, according to Google, these things happen and when they do, it deals with them.
“Just like consumers, our Ads customers can face threats from bad actors looking to gain access to their accounts, which is why we use advanced techniques to stay ahead of these evolving tactics,” a Google spokesperson told AdExchanger. “If an account is compromised, our dedicated teams work to secure it, restore advertiser access and issue credits as necessary.”
What exactly is going on now?
The newest iteration of Google account takeover fraud via Gmail and/or other integrations is more difficult to pin down compared to the attacks from late last year and early this year. Those were immediately and accurately diagnosed by agencies.
The advertisers involved in these recent attacks were uncertain about the origin of the malware they were attacked with.
As one advertiser put it to AdExchanger, the tactics used by the scammers’ are “black-boxed,” because there is very little support or documentation forthcoming from Google about how the attackers got in or what they did in the accounts afterwards.
All three execs who spoke with AdExchanger said they were the ones who first alerted Google to the problem and not the other way around. Each still has client accounts their agency can’t access, so they can’t set up or run any new campaigns, even though the fraudsters have already been banished from those accounts.
In terms of where the money went, none have been updated by Google or found evidence in their accounts.
“They must know on the back end exactly where that fraudulent money was spent,” one agency exec told AdExchanger. But, there’s no doubt that some portion of the spend goes toward perpetuating the fraud. The next victim’s malware is delivered via Google Search ads or Gmail ads, and these ads are paid for by the current victims.
But all three execs have their own different theories about what else the money might have been spent on. For example, one agency buyer said an affected account had spent at least part of the client’s budget on click-based ads leading to other sites, which he suspects are scammy sites where the fraudster is collecting ad spend as a publisher.
None of the others have seen campaign reports or anything that documents the illicit spend.
The losses
It also remains unclear how many legit advertisers remain locked out of accounts.
One exec whose agency was affected said they’ve kept the matter hush-hush so as not to cause a stir and because “we spend a considerable amount of money with Google, so we need to walk a fine line in terms of how we deal with them.”
Given how much these agencies spend with Google each year – and how much they’ve lost to fraudsters – you’d think they’d be entitled to at least basic customer service as a matter of course. But, actually they have to work for it.
The main priority for agency buyers is to protect and maintain the human customer support contacts they’ve managed to make at Google through blood, sweat and tears. They’re concerned that publicly complaining about the issues they’re experiencing on Google’s platform could leave them stuck with a cold shoulder or a chatbot that’s incapable of completing a ticket.
For a sense of scale, two of the agency execs claim they lost millions to fraud within their Merchant Center accounts, none of which has been refunded. Another said that because their daily budgets were relatively low, in the tens of thousands of dollars, total losses were below $1 million.
However, recouping ad credits is “actually secondary to getting account access back,” said one exec. He added that he’s confident his agency will someday recoup at least part of those fraudulently misappropriated millions in the form of ad credits once the primary issue is dealt with.
Another agency leader who saw takeover scammers spend millions of dollars in client budgets said his agency spends a nine-figure sum on Google media per year. Being such a big spender has helped the agency get some human support, they said, but “there really is no way to escalate above a low-level human.”
Some advertisers, meanwhile, have no hope of recouping ad credits.
After all, one acknowledged, these unfortunate situations do come down to user error. Someone trusted a Google Search ad or a Gmail ad and actively approved of a two-factor authentication request coming from a different country or continent.
“Google didn’t let them in,” one agency buyer said of the scammers. “Someone over here effed up.”
On the other hand, Google profits handsomely from the situation. Not only are scammers using Google’s platform tools to buy Google media, brands refill their accounts with more ad budget. In fact, all three agency execs said that they’ve mostly already covered their clients’ losses. If Google does refund an agency or advertiser, it does so only in part and only in the form of Google ad credits.
Which is related to what one agency exec said is the most frustrating aspect of account takeover fraud.
Months after the account takeovers were first reported to Google and the fraudsters were booted out with all new passwords, logins and two-factor credentials, one of the agency execs that AdExchanger spoke to said their business remains “frozen” with some of its most important clients.
“The lack of urgency on [Google’s] part has been pretty crazy,” they added.
