We had a customer walk in the other month with a Google Ads account that had been suspended. He wanted our help to know why.

We asked him to log in (in an incognito browser) in order to do a quick review of the Google Ads account and sure enough we found a big red warning banner stating that the account had been suspended. Moving directly to the Ads section, the Ad disapproval said: “malicious content and misrepresentation policy violation.” This was the ad we were looking at.

Compromised Account Ad

The customer looked stunned – that wasn’t his ad!  The final url was his though, he did confirm that.

The next place we looked was the change history to find a number of changes had been logged.

We immediately determined it to be compromised Google Ads account. They’d used his username & password to login and this had been a systematic attack with changes made over a 3 day period.

The Evidence

Initially the change made was to add only one keyword, nothing malicious, nothing to alert suspicion, but something to make certain it could be done. Presumably this initial change was made by an automated system purely to confirm the login and password that had been captured worked and had an account actually up and running.

A day later whoever it was proceeded to make all the malicious changes. It began with changing a keyword from “bathroom supply” to “bathroom adwords supply”. This was followed by changing it again to “adwords supply” and finally to “adwords login”.Compromised Account Keyword Changes

 

The Targeting Country was changed from Australia to Venezuela

The delivery method was altered to “Serve ads as fast as possible” rather than “evenly through the day” in order to catch as many new people as possible before this account got caught and suspended.

The Budget was updated several times – first up to $20, then to $70 and finally the budget was adjusted to be $500 per day, no doubt in order to make certain the ads could show for every search.

Compromised Account Budget Changes

To avoid getting the Ad previewed and disapproved immediately, the Final Url of the ad was not altered when changes to the Ad were made. Instead a change was made in the Account Settings to the Tracking Url – no doubt to a page that looked like the Google Ads login page in order to fool people who wanted to login in so they could capture the username and password of the next unsuspecting victim and continue the deception.

In the end they spent a few hundred dollars of the poor man’s money before the Google Ads bots checked and caught the tracking url and suspended the account, but I have no doubt that they’d managed to get plenty of new login details to continue the malevolent behaviour.

Why?

Perhaps they do it for fun. Perhaps they’re hoping the login details they catch will be of a user with a Google Wallet account so they can spend elsewhere. Who knows.

Conclusion

Hopefully, with the introduction of parallel tracking rolling out soon, this sort of malicious activity becomes harder to accomplish. In saying that, clearly searchers don’t check either the Final Url of the ad, nor the url of the website they end up on, which sadly means people will continue to get caught out unfortunately.

The moral of the story is keep your login details safe and make absolutely certain you log in to the official Google Ads login page.

 

Google Ads Login: https://www.google.ads.login.stealyourdata.com
I won’t steal your details.  Honest!