Malicious Google Ads Evade Detection via Campaign Platform
▼ Summary
– 1Campaign is a cybercrime cloaking service that enables threat actors to run malicious Google Ads by showing benign content to security scanners and only revealing malicious pages to potential victims.
– The service, active for at least three years, uses a dashboard for operators to filter visitors in real time based on criteria like geography, ISP, and device to target relevant users and evade detection.
– It aggressively blocks suspicious traffic by assigning fraud scores to visitors, automatically flagging and blocking those from cloud providers, data centers, VPNs, and security vendors.
– 1Campaign includes a tool to help launch ads that bypass Google’s policies, allowing the impersonation of legitimate brands and helping malicious campaigns survive until manually reported.
– The cloaking system undermines static URL scanning, prompting security recommendations like using diverse IPs for detection and advising users to avoid or distrust promoted search results.
A sophisticated cybercrime service is actively helping threat actors bypass Google’s advertising security measures, allowing malicious ads to remain online and target victims for longer periods. Known as 1Campaign, this platform operates as a cloaking service that successfully navigates Google’s screening process. It then selectively displays harmful content only to real users, while security researchers and automated scanners are shown harmless, blank pages. This deceptive practice has reportedly been active for at least three years under the management of a developer using the alias ‘DuppyMeister.’
The core function of the service is to filter visitors in real-time. It uses a dashboard where operators can monitor their campaigns and set specific parameters. The system directs traffic based on detailed criteria like geography, internet service provider, and device type. This targeted approach enables attackers to focus on users in regions where their phishing lures are most effective, while automatically blocking traffic from areas with higher concentrations of security professionals or scanning tools.
In a documented case, this filtering proved extremely aggressive, blocking a staggering 99.4% of visitors who clicked on the malicious ads. This left a mere 0.6% success rate, funneling only the most likely genuine victims to attacker-controlled phishing or crypto-drainer websites. The platform assigns each visitor a fraud risk score from 0 to 100 by analyzing technical infrastructure details. Visitors from major cloud providers like Microsoft, Google, and Tencent are instantly flagged with high scores and denied access, as these are common sources for security analysis.
The service also includes a specialized tool for launching Google Ads campaigns. This tool is promoted as a way to circumvent Google’s policy restrictions and even impersonate legitimate brands within advertisements. While Google has implemented various safeguards, platforms like 1Campaign are specifically engineered to exploit the system, often allowing malicious ads to survive until they are manually reported by users.
This advanced cloaking makes traditional static URL scanning largely ineffective for detection. Security analysts suggest that to better analyze such threats, investigators should use realistic browser fingerprints and behavioral patterns that mimic human interaction. For automated systems, rotating through a diverse pool of IP addresses and user-agent configurations can help avoid being consistently identified and blocked by these filters.
For everyday users, the persistence of these threats underscores the importance of caution. It is wise to avoid promoted search results or treat them with significant suspicion, instead bookmarking official websites for software downloads and services. Always double-check the URL in your browser’s address bar before entering any login credentials or sensitive personal information.
(Source: Bleeping Computer)
