Google sells ads for websites used in scams – 12/06/2023 – Tech

To carry out scams on the internet, criminals have hacked Google accounts and used them to buy ads on the search engine. Fake websites often offer products at prices below market prices to attract customers, who are left without receiving the goods.

One of these cases involved the website lojadobrasil.com, reported for fraudulent offers during Black Friday.

This address, for example, purchased R$72,000 worth of ads from a stolen Google Ads account, according to documents obtained by the report. The largest search engine on the internet left advertisements up for 13 days after being notified of the profile hack.

Fraudulent links promoted on the most popular search engine on the internet also served as bait to make people download viruses that divert Pix in the “copy and paste” mode.

A website that imitated an official Rock in Rio retailer with fraudulent offers appeared in the first advertisement in searches for the music festival.

In its advertising policy, Google says it uses human evaluation and artificial intelligence to detect advertising material that violates the platform’s rules.

In an annual report, the company stated that it had removed 5.2 billion abusive advertisements and restricted 4.2 billion ads in 2022. In this process, 6.7 million accounts were suspended.

Google says that if it suspects that the account on the Google Ads advertising platform has been compromised, it will temporarily suspend the profile to prevent its ads from being served.

After deactivating the account, the user loses access to other Google products, such as YouTube and Gmail. The company asks the customer to notify the account of the account being hacked using this link.

The company victim of the scam can also request a refund, as long as it activates the two-factor authentication security method on the account, according to Google. The search giant did not answer who bears the loss in the event of a refund.

The report found that, when a security breach arises from an error on the platform, the technology company is left with a loss if the payment dispute is accepted by the card issuer.

The episode boosting the website lojadobrasil.com, however, shows bottlenecks in Google’s security procedures

The victim, businessman Diogo from Rio Grande do Sul (who asked to have his surname preserved), contacted the technology company on November 20 to report that he was unable to access his account on the Google Ads platform.

Google invalidated the boost paid for at least five different cards on Monday (4). In the meantime, the fraudulent address was used to carry out scams, using Black Friday as a hook.

To do this, the scammers took control of Diogo’s profile, added themselves as account administrators and removed the businessman’s access, indicates the exchange of emails between the retailer and Google agents.

Although there are no ads, the fraudulent website lojadobrasil.com continued to appear in the Google results list until this Tuesday (5). As a description of the link, Google shows comments from supposed customers: “The online store is reliable and offers excellent service. I recommend it to everyone!”.

The Whois query platform shows that the administrator of the address lojadobrasil.com is based in the city of Tempe, Arizona (USA).

Unlike the practice adopted in Brazilian “.br” domains, in the United States it is not necessary to make public the name and CNPJ of the person responsible for the website. Therefore, the data of the person responsible for the fraudulent page is hidden.

Google’s first measure, according to the company’s first response on the 22nd, was to ask, unsuccessfully, that cybercriminals accept Diogo’s email as account administrator. The company asked the businessman to wait for a response for two business days.

Google support then gave the user two options for verifying their identity: replying to the message with an email linked to the company’s domain or a more complex path that involved editing the website’s source code. The message itself ignored that Diogo contacted the technology company with an email linked to the company’s domain (@empresaficticia.com).

The Google representative then stated that she had received Diogo’s data and asked for five business days for the company to analyze the situation.

Still on the 20th, the businessman received notifications of three payments, totaling around R$3,300. Diogo had to request the cancellation of the two credit cards used in the transactions and also the refund of the amounts.

The ads, billed to Diogo’s company’s CNPJ, had the objective of promoting the website istodobrasil.com, cited as a fraudulent website promoted last Black Friday, on November 24th.

In the meantime, criminals used Diogo’s account to place Google ads.

On the 28th, Google responded to the businessman with a denial of the recovery request, justifying that he had not edited the website’s source code and sent the file in .txt format. The response ignored the first part of the email that presented the email linked to the company.

Upon being notified via email of a change in the credit card linked to the Google Ads account on the 29th, Diogo tried to call Google to warn about the use of his CNPJ by third parties to commit fraud. He heard from the company that service could not be provided over the phone, only through the online platform.

Between the 29th and Saturday (2), criminals invested almost R$69,000 in advertisements using three different credit cards. Without any response from Google, the businessman decided to file a police report with the Civil Police of Rio Grande do Sul on the 30th.

Only on the 2nd of this month, the attendant responded to an email from the 28th that it would not be possible to respond to the businessman’s account recovery request. Restricted the possibility of retrieving profiles to those registered with Google Workspace, a Google service package sold for prices starting at R$28 per month.

The businessman, willing to pay for Google Workspace to recover the account, created a new email on his domain ([email protected]).

Google’s service, however, required that all addresses linked to the domain become Workspace, which would cause the victim to lose their data registered on another corporate email platform. “This is impossible at the moment,” the businessman wrote to the attendant in an email.

The Google employee responded, once again, on Monday (4), that she could only recover accounts linked to Workspace for “a matter of Google procedures and user safety.”

It was only then that the platform took the advertisements from the fraudulent website istodobrasil.com offline. When questioned, Google stated that it does not comment on specific cases.

IMMEDIATE BLOCKING

According to Insper information security professor Rodolfo Avelino, immediately blocking the account after notification of account theft would be ideal in terms of security.

Attacking small business websites is a common practice among cybercriminals, with a tactic called code injection.

“These establishments do not have a solid defense infrastructure and end up more vulnerable to offensives,” he said. With this, scammers can, for example, steal passwords.

These criminals can then use company profiles on digital platforms, such as Google, to promote fake sales on search engines, marketplaces and video sites, such as YouTube.

Creating fraudulent websites is among the most common and oldest scams on the internet and boosting them in search engines is a way of reaching more people with fraud, according to Avelino.

When asked about incidents involving the promotion of fraudulent websites on Google, the Federal Police stated that it does not reveal information about people and companies involved in investigations.