Google Ads invitations are misused to send emails promoting spam and sex websites to users who may not otherwise use Google’s advertising platforms.
The Google Ads platform allows advertisers to create advertising campaigns on publisher partner websites and in Google search results.
The widespread campaign recently seen involves threat actors using the Google Ads admin interface to send mass email invitations that, sourced from Google, bypass recipients’ spam filters.
Be careful with this invitation!
Users around the world report receiving emails from genuine Google Ads accounts that catch their eye.
These fake invitation emails, sent from Google’s servers, trick users into visiting spammy links contained in the email.
“Mail is sent from official Google address ‘Google Ads firstname.lastname@example.org'” writing Editor erohtar.
“A few weeks ago my boss gave me access to the company’s Google Ads account, so I know this email. It’s legitimate, actually sent by Google, and it will give me access to the Google Ads account of the crook.”
Many others reported receiving identical emails leaving them frustrated:
“I deleted the emails, but it would be nice if Google policed their products so their users didn’t have to constantly guard against phishing scams,” commented Brandon on a Google Community Forum thread started by another affected person.
Websites promote adult content
Google Ads account administrators can use the “invitations” to add new users to the account administration interface via email invitations.
But, it seems that clever threat actors have once again found a way to misuse the feature for their nefarious activities.
The URLs in these invitation emails ultimately redirected users to dubious websites offering adult dating sites, many of which appear to be designed to collect personal information from visitors.
It may be tempting to report these emails as spam or phishing, but that’s not the solution. It can also block legitimate emails sent by Google.
To better understand the issue and how Google plans to fix it, BleepingComputer emailed Google well ahead of the release. A spokesperson has acknowledged receipt of our request and we are awaiting a further response.
In the meantime, users should be vigilant and refrain from clicking any links or attachments in emails, even if those emails appear to be or in fact come from genuine Google servers.