With its unrivaled search algorithm, Google occupies 92% of the global search engine market and is favored by many internet users. Consequently, websites exposed at the top of search results by Google’s algorithm are visited by tens of thousands or even millions of Google search engine users a day. Google is constantly improving its algorithm to exclude malicious or phishing sites from top exposure. Still, cyber attackers skillfully abuse Google’s exposure logic to allow as many victims as possible to visit malicious websites. Among them, phishing website attacks that abuse Google Ads are malicious attack methods that continue to increase.
Recently, security media Bleeping Computer reported that Bitwarden password vaults were targeted in Google Ads phishing attacks to steal users’ credentials. In addition, there have been many phishing attacks in which search engine users have been victimized by phishing and fraud by exploiting Google Ads, but such cleverly created fake sites continue to appear at the top of Google search results without appropriate measures.
MetaMask Phishing Sites on Google Search Ads
MetaMask is a popular cryptocurrency wallet provider with more than 3 million monthly visitors. Many users access the MetaMask website through the Google search engine. Searching for ‘MetaMask’ or ‘MetaMask Wallet’ on Google, you will undoubtedly think that MetaMask’s official website will be exposed. If the searched site at the top has an entirely different title or description, the users will scroll to find the website they want, but what if the search result is displayed with the same title and description as the official site?
In fact, MetaMask Google Ads phishing incidents have been reported several times since 2020. After the phishing site ads are blocked, the attacker continues the attack by exposing ads using a new domain after a certain time. Let’s look at Google search results in Korea, a case of MetaMask Google Ads scam we found. As shown in the image below, if you enter “메타 마스크,” which means MetaMask in Korean, into the Google search box, the website with the title MetaMask is displayed with an “Ad” mark at the top of the search results.

Google users could click on the site exposed at the top with little doubt to access MetaMask. However, if you access this website, you will be connected to a fake website, not the official website of MetaMask, as shown below.

Can users who click on Google search Ads find anything strange after accessing it? It will be hard. Compared to the actual MetaMask website, the favicon, title, and web UI/UX are all made the same.
The only thing that is bound to differ from an official website is the URL. The URL of the Google Ads phishing site uses the URL mètamaśk[.]com to look as similar as possible to the actual website.At first glance, it is difficult to distinguish it from the actual website URL, metamask.io, but upon closer inspection, ‘è’ and ‘ś’ are used instead of ‘e’ and ‘s.’
How to Identify a Phishing Site in Google Search Ads
As in the case of the MetaMask phishing site above, threat actors are actively exploiting Google Ads for phishing attacks. There is a way to connect directly and compare non-reproducible elements such as URLs to distinguish plausible phishing sites that appear at the top of Google search results. However, using a URL scanner such as Criminal IP is more accurate.
We searched for the fake MetaMask URL “mètamaśk[.]com” in Criminal IP Domain Search.
- mètamaśk[.]com scan result: https://www.criminalip.io/domain/report?scan_id=3043175

As a result of scanning the MetaMask phishing site exposed in Google search Ads, it is detected with a 99% risk, and the phishing probability is 75%. This domain appears to be recently created for phishing attacks.

Above all, Criminal IP Domain Search allows you to check screenshots of phishing sites without accessing them. Although this domain is connected to an IP address with no abuse history, most phishing sites often have malicious IP addresses. Therefore, before accessing the website displayed at the top of the Google search Ads, it is safe to detect phishing with a URL scanner such as Criminal IP. Be especially careful when connecting to ad websites because malicious codes such as ransomware can be downloaded with just one click.
Another Cyberattack Abusing Google Ads: Google Ads Manager Invitation Spam
There is another cyberattack that exploits Google ads. This is a method of using the Google Ads manager invitation email.
A Google Ads advertiser will send an invitation email, as shown below, to the recipient’s Gmail address to invite the co-administrator. An attacker exploits this to register a malicious website (an adult site in this case) as a website to advertise and then sends admin invites to an unspecified number of people. Since the sender of the manager invitation email is ‘Google Ads ads-account-noreply@google.com,’ it bypasses the Gmail spam filter and is usually received in the inbox. Because of this, people who receive the email think they have been invited to the real Google Ad Manager and access the spam link. People using Google ads in their companies are more likely to fall victim to attacks like this.

If you scan the link used in the above spam email with Criminal IP Domain Search, you can check whether the website is malicious without accessing it.

It is an adult site, and the attacker has tried to promote it by exploiting the Google Ads manager invitation email or collecting the visitor’s personal information.
How To Prevent Google Ads Phishing Attacks
In some cases, the Google Ads blocker, also known as AdBlock, is used to prevent Google Ads phishing attacks.
While this is another good option, requiring everyone to block Google Ads is not advisable. Instead, the fundamental solution will be for Google to strengthen censorship against spam and phishing so that advertisers and consumers can safely use the advertising platform.
To prevent phishing and spam attacks on your own, it is recommended to use real-time URL scanners and website inspection tools such as Criminal IP.
Please refer to our article on how to detect Flipper Zero phishing sites for relevant information.
Source
- Criminal IP (https://www.criminalip.io/)
- Bleeping Computer (https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-targeted-in-google-ads-phishing-attack/, https://www.bleepingcomputer.com/news/security/google-ads-invites-being-abused-to-push-spam-adult-sites/)
Related Article :
[…] How To Be Safe From Google Ads Scams (MetaMask Phising Site) by Criminal IP on February 3, 2023 at 5:35 am […]
[…] Check out our article on how to be safe from Google Ads scams. […]