Cybersecurity experts discovered a sophisticated phishing campaign that used Google Ads and PayPal's infrastructure to defraud users and obtain sensitive personal information.
The attackers abused vulnerabilities in Google's ad standards and PayPal's "no-code checkout" feature to create fake payment links that appeared authentic, duping victims into communicating with fake customer care agents.
Malicious actors created fraudulent adverts imitating PayPal. These adverts shown in the top search results on Google, displaying the official PayPal domain to boost user trust. A flaw in Google's landing page regulations allowed these advertisements to send consumers to fraudulent sites hosted on PayPal's legitimate domain.
The URLs used the format paypal.com/ncp/payment/[unique ID], which was designed to allow merchants to securely accept payments without requiring technical knowledge.
Scammers took advantage of this functionality by customising payment pages with misleading information, such as fake customer service phone numbers labelled as "PayPal Assistance." Victims, particularly those using mobile devices with limited screen area, were more likely to fall for the scam due to the challenges in spotting the fake nature of the links.
Mobile devices: A key target
Due to the inherent limitations of smaller screens, mobile users were the campaign's main target. Users of smartphones frequently rely on the top search results without scrolling further, which increases their vulnerability to clicking on malicious ads.
Additionally, once they were directed to the phoney payment pages, users would see PayPal's official domain in their browser address bar, which further confirmed the scam's legitimacy.
Victims who called the fake help numbers were most likely tricked into disclosing sensitive information or making unauthorised payments. According to MalwareBytes Report, this attack highlights how cybercriminals may use trusted platforms such as Google and PayPal to conduct sophisticated scams.
Scammers successfully bypassed typical security measures by combining technical flaws with social engineering techniques, preying on people' trust in well-known brands.
The campaign has been reported to Google and PayPal, yet new malicious adverts utilising similar techniques continue to appear. Experts advise people to use caution when interacting with online adverts and to prioritise organic search results above sponsored links when looking for legitimate customer service information. Security technologies such as ad blockers and anti-phishing software can also help to reduce risks by blocking malicious links.
