Google Ads Invites can be misused to send spam or sex website promotion emails to people who don’t use Google advertising platforms.
Advertisers can use the Google Ads platform to run advertising campaigns both on publishers partner sites or in Google search results.
This campaign, which has been widely reported, involves threats actors sending bulk emails to invites using Google Ads admin interface. These invitations, sent from Google, are able bypass spam filters.
Be careful when you send an invite
Around the globe, users are reporting that they are receiving email from genuine Google Ads accounts.
These fake invites, which are sent by Google’s servers, encourage users to click on spam links in the email messages.
“The mail is sent from official Google address ‘Google Ads [email protected]'” Redditor erohtar.
My boss granted me access to Google Ads accounts a few weeks ago, so this email is familiar. This email is legit and was sent by Google. It will allow me to access the Google Ads account of the fraudster.
Others have also reported getting identical emails, leaving them disappointed.
“I have been trashing emails, but it would be nice for Google to get a handle of their products so that their users don’t have to constantly guard against Phishing scams,” Brandon in a Google Community forum thread.
Websites promote adult content
Google Ads administrators have the option to use the feature to add users via email invitations to their account administration interface.
It seems that clever threats actors are able to exploit the feature again for their evil purposes.
These invite email URLs redirected the users to poor websites that promote adult dating sites. Many of these appear to have been designed to gather personal data.
Although it might seem tempting to flag these email as spam, phishing or fraudulent, this is not the right solution. This could also result in the blocking of legitimate email sent by Google.
BleepingComputer sent an email to Google in advance to help understand the problem and what Google’s plans are.
A spokesperson for Google stated that “our security teams are conscious of spam content” and were working hard to keep users safe in a statement sent to BleepingComputer.
We have implemented appropriate actions and enforced strict Google Ads policies to prevent misrepresentation. We ask users to to assist us in taking appropriate action against accounts that are involved with spam.
It is important to be careful and not click attachments or links in emails, even though they appear to originate from genuine Google servers.
January 23rd 2023 at 8:57 pm: Google has published a statement.