Google Ads invites are being abused to deliver email messages promoting spam and sex websites to users who are otherwise not necessarily using Google advertising platforms.
The Google Ads platform allows advertisers to create advertising campaigns on publisher partner's web sites and in Google search results.
The recently seen widespread campaign involves threat actors using the Google Ads admin interface to send bulk email invitations that, coming from Google, bypass recipient spam filters.
Careful with that invite!
Users around the world are reporting receiving emails from authentic Google Ads accounts that are catching their attention.
These bogus invite emails, sent from Google's servers entice users to visit spam links contained in the email message.
"The mail is sent from official Google address 'Google Ads ads-account-noreply@google.com'" writes Redditor erohtar.
"Few weeks back my boss gave me access to the company's Google Ads account, so I'm familiar with this email. It's legit, actually sent by Google, and it WILL give me access to the scammer's Google Ads account."
Many others have reported receiving identical emails leaving them frustrated:
"I've been trashing the emails but it would be nice if Google would get a handle on their products so their users aren't having to constantly guard against phishing scams," commented Brandon on a Google community forum thread started by another affected person.
Websites promote adult content
Google Ads account administrators can use the "invitations" feature to add new users to the account admin interface via email invites.
But, it looks like clever threat actors have yet again found a way to misuse the feature for their nefarious activities.
The URLs contained in these invite emails ultimately redirected users to dodgy websites pushing adult dating sites, with many appear to be designed to collect personal information from visitors.
It might be tempting to report these emails as spam or phishing but that isn't the solution. Doing so may also block legitimate emails being sent from Google.
To better understand the issue and how Google plans on remedying it, BleepingComputer emailed Google well in advance of publishing.
"Our security teams are aware of this spam content and are working hard, as always, to stay ahead and keep our users safe," a Google spokesperson said in a statement to BleepingComputer.
"We have strict Google Ads policies against misrepresentation and have taken appropriate action. We encourage users to report messages when they receive emails containing spam links to help us take appropriate action on accounts involved in the spam."
Users should be on the lookout and refrain from clicking links or attachments within emails even if these emails appear to or in fact originate from authentic Google servers.
Update Jan 23 2023, 8:57 PM: Added Google's statement received after publishing.
Comments
Poco_Loco - 1 year ago
"designed to collect personal information from visitors"... When Google Analytics doing this, everything is OK, when someone else, so it's bad?
edmoncu - 1 year ago
it's a new haven for threat actors to exploit google's overacting ad-driven campaign on everything. some google ads on websites (ex: sportskeeda) are even posting fake shopping sites with either thumbnails of pornographic or just graphic images.