1Campaign service enables persistent malicious Google Ads

A new cybercrime service called 1Campaign is allowing threat actors to run malicious Google Ads for extended periods while evading detection by security researchers. This cloaking service bypasses Google's screening process by displaying malicious content only to potential victims, while showing benign pages to security researchers and scanners, with further coverage provided by Bleeping Computer.

Active for at least three years, 1Campaign is managed by a developer known as "DuppyMeister." The service provides a user-friendly dashboard for customers to manage campaigns, filtering visitors in real time based on geography, ISP, and device characteristics. This targeted approach allows attackers to focus on specific regions and filter out traffic from entities likely to apply security scrutiny. In one observed instance, 1Campaign blocked 99.4% of visitors, demonstrating a highly selective filtering mechanism. The system assigns a risk score to visitors, blocking those from cloud providers and security vendors. The platform also includes a Google Ads launcher tool to help bypass policy limitations and impersonate legitimate brands, with observed traffic distributed across the United States, Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania.

The emergence of sophisticated cloaking services like 1Campaign highlights the ongoing challenges in securing advertising platforms against malicious activity. Such systems render traditional static URL scanning less effective, necessitating advanced detection methods that mimic human interaction. Users are advised to exercise caution with promoted search results, verify URLs before submitting sensitive information, and rely on official software distribution channels to mitigate risks.

Source: Bleeping Computer