Recently I'd noticed a phishing attempt on Google whereby someone was sending me to a page to try and trick me into entering my Google AdWords login details.
The scammer would likely use my account logins to rack up massive PPC ad spends on all kinds of spammy products, hitting me with a massive AdWords bill whilst they (probably) made decent revenue through an affiliate program of some kind, where they may be able to cover their tracks. That, or to simply sell my account details on the darkweb to the highest bidder.
From further digging I found that there were a load of scams being run through Google's site builder tools - either through Google Sites (accessible via the G Suite) OR for free using the Google My Business site generator tool. This is where you can activate an auto-generated website based on the information on your Google Business profile. This platform is much more limited vs the Google Sites one, but can still be put to use by scammers, which I'll expand upon later on here.
How the Google AdWords phishing attempt works
I'd shared my original findings over on Twitter when I first noticed this attempt, and despite it being pretty evil you also have to admit it's quite smart, in a bit of a geeky way.
Almost fell for this - searching for "Google Ads" I lazily went to click on a PPC ad to skip to the sign in page. This took me to a https://t.co/XLgPVtN1Gd page - which mimics Google Ads' page. Links take you to a https://t.co/imxSamUSvJ type URL (to try & mask the "bad URL")... pic.twitter.com/aoPwtjX2R0
— Matt Tutt (@MattTutt1) April 29, 2020
I'm not sure how, or why they are avoiding Google's detection, but I'm wondering if Google's security services are running at a lower capacity at that moment, as some staff are unable to work from their HQ due to the Covid-19 impact. We've seen big delays with reviews getting published within Google My Business, and so it could be that there's a similar issue at play (fewer staff available to review these types of issue?). Or, Google's system of detecting this kind of scam is just really bad.
Here's how the phishing attempt worked:
1 - I searched "Google AdWords" from the Chrome browser.
2 - I saw 2 PPC ads - one of which caught my eye. I think in hindsight I clicked the PPC ad instead of the organic listing because I was curious - why would Google bid on this keyword (is it to prevent others doing the same, but surely they wouldn't allow anyone else to bid on it?).
3 - I was presented with a page which imitates the typical Google AdWords login page. On the page I could feel somethings were off - the resolution was slightly blurred, or the picture not so crisp, anyway - the URL bar was a big giveaway.
4 - At this point I clicked through to login (out of curiosity more than anything) but obviously stopped short of entering my login details.
5 - Decided this was pretty bad, and was worth sharing to warn others.
Since sharing the issue I had no response or contact from the Google AdWords team (I did tag them on Twitter when I first shared it) but I didn't see the PPC ad stay around for long. I think the scammer may have pulled the ads at that point, but not sure. It's likely they've just switched to the next thing.
Using Google Sites as a Phishing Network
After sharing my findings I thought it was worth digging a little deeper, as is often the case when I spot something weird online (be-it SEO specific or, unique to PPC, but mostly it's the former that leads me down various rabbit holes).
From some initial research through Ahrefs' excellent competitive Site Explorer tool (the PPC keywords report under Paid Search) it was clear that Google Sites was being used as a front for many scammers who are trying to hide their various nefarious activities. The reason is pretty clear - if you see ".Google.com" in a site URL, be that in an organic result or a PPC ad, you're going to give them a fairly high level of trust.
Google Sites is a product that belongs as part of the G Suite software range, accessible if you pay a monthly fee (it's around £5 per month so not that expensive to get access to). It is also possible to auto-generate a Google Site from your Google Business listing although you're a bit limited in terms of features here.
Whilst Google Ads team do supposedly review ads before going live, I'm wondering if the scammers in these cases are cloaking content to the ad review team (if that's even possible through the Google Sites platform), or more likely they are switching the hosted content after having their ads approved. So they avoid their "bad" material being seen by the approval team, which is probably fairly automated on Google's side too.
Example 1 - Customer Service Line Scams
From the PPC Keywords report in Ahrefs, filtered to the sites.google.com domain, I could see a clear example where a scammer was acting as customer support for American Airlines.
They were bidding on "United Airlines customer service" keywords, getting people onto their Google Sites page, and giving them the contact info of their own phone line. People calling this line were either put through to a premium rate line, or in this case it seems they were tricked into paying a fee to get their booking adjusted (see forum screenshot further down).
Above we can see the landing page they had built out for use in the ad, hosted on the Google Sites platform for extra credibility. They probably obscured most of the URL within the Ad, so the Display URL was just "sites.google.com", or something along those lines.
And by chance I found this through some additional Googling - someone asking for advice having been scammed from calling the number from one of these ads, and later getting charged a big fee to cancel the booking.
Example 2 - Affiliate Link Cloaking
Another unsurprising finding was the use of affiliate links to refer people to a popular site, often a "remote IT assistance" tool, in this particular case GoToAssist's affiliate program was being used.
"Gotoassist" was the keyword they were bidding on in Google (no idea how they were allowed to use that one; most affiliate programs are strict about not bidding on brand names within PPC) and were taking them to a Google Sites page that mimicked that of GoToAssist's (which now seems to be called RescueAssist, by software provider LogMeIn.
Clicking anywhere on the page redirected you to another website which then redirected automatically to their affiliate URL.
Just to clarify - whilst the above is a bit "greyhat" to borrow an SEO phrase, it's not necessarily that bad. Someone was looking for a software tool and, albeit a bit longwinded, eventually they make their way to the site.
I'm just using it as an example of what kind of thing is going on at Google Sites - and also bear in mind these are just a few examples that I saw from some very quick research. There are probably many worse ads that are being run through the network.
Example 3 - Affiliate link cloaking through fake Google Results
This is kind of a continuation along the above affiliate program scheme but this one caught my attention as they were taking people to a page which supposedly mimicked the Google SERP's (very badly, IMO - it looks more like Bing!).
And then any click from that fake SERP listing page took you to the STD testing website, with affiliate link applied.
It actually looks like this one might be run through the Commission Junction (CJ.com) affiliate network, due to the UTM tags applied to the URL (at a guess anyway).
Again, nothing that bad is going on in the above from what I can see, just not really something Google should be that proud of serving within their Google Sites platform if you ask me.
You can check out the above yourself by entering "sites.google.com" into your keyword research tool of choice (SEM Rush or Ahrefs both cover this pretty well), or enter in "business.site" which is the Google My Business site generator tool.
I think there are many legit businesses running PPC ads on the business.site domain via their Google Business Site (don't ask me why - they're probably better off investing in their own self-managed site) but the scams I did found were largely based around false customer service support lines (see example below - and note the URL).
The customer service line scams are probably most common on the Google Business Site generator because that platform is very limiting as to what you can and can't do. Adding a phone number as a piece of text is one such thing that is possible - so the scammers are using a genuine (or not) business as a trojan horse for their little phoneline scam.
Update: Another example of Contact Line Hijacking with CurrencyFair
Just a few days ago another person I follow on Twitter (Fabrizio Ballarini, of money transfer site CurrencyFair) shared his own first-hand displeasure of Google Ads allowing more slightly dubious ads onto their network. In this instance someone was bidding on keywords around "contact CurrencyFair", taking users to a page which supposedly contains the phone line of the company.
When a legit company opens a new account might get banned automatically.
Then you have fraudsters running ads and it's completely fine.
— Fabrizio Ballarini (@Pechnet) January 22, 2021
Calling that number likely takes you to the CurrencyFair help desk via another premium rate line, causing the user to get charged quite a hefty fee for making those calls.
In the case of Fabrizio (and subsequent Twitter thread); I'm not entirely sure how Google could catch this type of scam. What's to stop someone setting up a "genuine" PPC advert, leading to a standard, legit page on their Google Sites platform, and then after the ad-approval process they drastically alter the site content?
Will the Google Ads bot return to the site and flag the landing page for a new review? Or perhaps this isn't occurring on Google's side? And how would Google determine if it's a genuine number, or a premium rate line of some kind?
For me, if you're unable to get Google to pull the ad (or to report the Google Sites page, which is possible in the bottom-left corner of the screen when on the page), it could be a case of having to cough up and pay the Google Tax - run your own ads (as TransferWise), bidding on keywords relating to "contact TransferWise" in order to prevent the scammer ads being shown. This will allow you to control the SERPs to a greater extent, pushing the cost-per-click of keywords up for the spammer, and possibly burying their ad in the process.
Takeaways for businesses from the above (and Google!)
The main advice here for other big brands would be to monitor exactly who is bidding on your name within Google Ads and any other ad networks. Use an automated tool to track this, as well as doing spot checks now and then (using a VPN can be handy here too, to imitate other locations around the world). A decent PPC specialist should be spot checking for issues like this now and then.
Ensure your messaging within any affiliate networks is clear about what is and isn't allowed, and keep tabs on what your affiliate members are up to as best you can.
My advice for Google (who are obviously checking my blog regularly 😉 ) would be to clear up the scams that they're happily hosting on the Google Sites platform, the Google My Business platform, as well as allowing them to participate in the Google Ads program. The last one is the worst IMO, and should be the easiest to patrol.