- Varonis exposed 1Campaign, a cloaking tool for malicious Google Ads
- Showing phishing/scam content to victims, blank pages to reviewers and scanners
- Offers analytics, visitor profiling, fraud scoring and brand spoofing at scale
For three years, someone has been selling a tool that allows crooks to run malicious Google Ads that only appear to highly relevant targets.
Security researchers Varonis dubbed the service 1Campaign and in an in-depth report described 1Campaign as a “cloaker” through which malicious actors can show different content to different visitors.
While real victims see actual phishing or scam content, security researchers, ad platform reviewers and automated scanners may see a basically blank page. “This allows fraudulent Google Ads campaigns to pass the first review and stay active longer before being flagged,” explained Varonis.
Launch of advertising campaigns
But there is more to 1Campaign, the simple obfuscation. The tool offers real-time analytics, visitor profiling, fraud scoring, and the ability to block traffic from known security vendors, data centers, and VPNs.
“Each visitor is assigned a fraud score from 0 to 100. Visitors from Microsoft Corporation, Google, Tencent Cloud Computing, OVH Hosting and other cloud providers are automatically flagged with a high fraud score and blocked,” the researchers explained.
Security scanners are identified through IP ranges, ISPs and behavior patterns, meaning attackers can configure exactly who sees their malicious content and who gets to stare at a blank page.
Developed by a hacker alias ‘DuppyMeister’, 1Campaign distributed traffic throughout the US, Canada, Netherlands, China, Germany, France, Japan, Hungary and Albania. The platform also comes with a Google Ads launcher tool through which the malicious can launch both malicious and benign campaigns.
DuppyMeister says this allows 1Campaign to bypass policy restrictions and launch ads “like anyone.” This basically means that crooks can counterfeit any brand.
“This enables outright ad fraud at scale, allowing attackers to impersonate legitimate brands and services in their Google Ads campaigns while avoiding automatic policy enforcement,” the researchers concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
