Phishers frequently exploit widely-used URL tracking systems in their attacks. Because these domains are well-known and trusted, they serve as effective carriers for malicious links. This blog examines a recent phishing campaign that leveraged Google Ads’ tracking system to bypass email security filters.
How it Works
Piggybacking on a domain is appealing to threat actors not only because it increases the odds of making it past spam filters, but also for ease of creation. By editing an existing URL, the burden of setting up their own redirect is removed, and they can take advantage of infrastructure already in place to launch their campaign.
URL tracking systems use parameters to pass through various pieces of information for managing advertising campaigns. One of these parameters is typically the final URL that the ad service should redirect users to after they have clicked on the tracking link. For Google Ads, this is the adurl parameter.
By replacing adurl value with a phishing link, threat actors can easily subvert a legitimate Google Ads tracking URL and use it in attacks.
To demonstrate this, we took a Google Ad tracking URL, and modified the adurl value to our website:
In addition to googleadservices.com, a few other well-known domains abused using this tactic include:
- sony-europe[.]com
- vioc[.]com
- verizonwireless[.]com
- Vistaprint[.]com
Usage in a Real Attack
The example below shows how this technique was used in an observed attack. In this attack, the threat actor sends the victim a message falsely indicating that an unauthorized party has accessed their PayPal account.
The victim is prompted to click Account Verification to access what they believe is an authentic PayPal login page.
Instead, the threat actor has turned the legitimate Google advertising URL into a malicious redirect by placing their intended destination at the end of the URL. The redirect leads the victim to a fake PayPal login page where the victim is to enter their account credentials.
hxxps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=CkKhSJ-gqX-GtNty3-gbqpKz4DMreicBelZHBz_EI273E7LIYEAEgho-AAmDpquGD3A2gAZKJ56MDyAEGqQIEfvn7VuTSPagDAaoEtgFP0N_rXMTqaIYdOFFNvymbCN7djmLuGBs0qPBsXkjhPzV5hSfNXCjT9MKcAek_3I_gUhRSRRw5kqSy-Z-rvVzk6BH9snxHTMjSWlffMREL6Vg1BOMpRI_HIW4N0dlKPCrZxpZYk7E5CsHO8VIEegpWEzujD4iY-x3ULGIaDnhorEuMJKWYduzWUiXwr4e3kO-T-crYZzgDhjzMn16eM_uLSms_-acHT_x2ePvQC0kGdErhQYHgW8AE4ufdrYkC-gUGCCUQARgAkAYBoAY3gAfBnZNJiAcBkAcCqAeOzhuoB5PYG6gHugaoB_DZG6gH8tkbqAemvhuoB-zVG6gH89EbqAfs1RuoB5bYG6gHwtob2AcAqAgBwAgB0ggGCAAQAhgCmglsaHR0cDovL3d3dy5ibGlibGkuY29tL3Avc2ltcGF0aS1ob2tpLWFuZ2thLWJlc2FyLW5vbW9yLWNhbnRpay0wODEzLTg3OS04OC03ODkta2FydHUtcGVyZGRhbmEvcGMtLU1UQS0zOTgxNzcxgAoTkAsDyAsF4AsBgAwB2BMOiBQBqBUBmBYB&num=1&cid=CAMSOQClSFh3vOahM8bRYdbJdZjUvyzYDCnd3ma2Z3c8W_feW32_0K9UZRerkcPtYpLOi2CWmMvE7wZSBA&sig=AOD64_2nQj0Aoq0pPYruNnWvFowNPjNSXw&adurl=https://idms-authnetwork-accsession.com/r/V3bstG7
The highlighted section above is the malicious destination.
What Makes this Method so Effective for Phishing
Threat actors benefit from this style of attack in several ways. First, they avoid the need to build their own redirect infrastructure by leveraging the existing systems used in URL tracking.
Second, the domains involved are widely recognized and trusted, making them less likely to be flagged or blocked by spam filters—allowing phishing emails to reach users more reliably.
Finally, many tracking URLs expire after a set period. Once expired, they return a 404 error instead of redirecting to the phishing site. This limits the window of exposure and reduces the chances of post-attack detection, making it harder for victims to report the malicious content.
This is not the first time the URL tracking system used by Google Ads has been abused to enable phishing attacks. Threat actors have exploited Google Ads infrastructure in the past, even using the advertisements themselves to distribute phishing content. The reemergence of this particular attack method using Google adurls suggests these types of campaigns are effective as well as undemanding of the criminal. Fortra Brand Protection continues to monitor this tactic.
Off
