How Attackers Are Exploiting Google Ads and PayPal’s Merchant Tools

Recent investigations by security researchers have uncovered a coordinated attack campaign that exploits vulnerabilities in Google Ads and PayPal Merchant tools. This campaign leverages trusted online features to deceive unsuspecting users and steal sensitive data. In this post, we will explore the intricate details of this multi-layered attack, analyze the techniques employed by the adversaries, and provide actionable recommendations for both enterprises and individual users. Understanding the mechanics of these attacks is critical, as it not only reveals the vulnerabilities in widely used platforms but also underscores the urgent need for enhanced security measures across the digital payment and advertising ecosystems.

Background and Overview of Google Ads and PayPal Merchant

The recent campaign represents an evolution in cyberattack methodologies. Traditionally, phishing attacks have relied on blatantly deceptive emails or fake websites designed to trick users into entering their details. However, the current wave of attacks is markedly more sophisticated. Instead of creating entirely fake domains or email templates, threat actors exploit users’ inherent trust in established platforms like Google and PayPal.

The attack begins with carefully crafted Google Search ads that mimic the branding of PayPal’s official support channels. These ads immediately lend an aura of legitimacy by replicating PayPal’s logos, meta descriptions, and overall visual style. When users click on these ads, they are taken to pages that, although hosted under PayPal’s domain, have been manipulated to include fraudulent elements. This confuses users and circumvents many traditional phishing detection mechanisms that rely on identifying fraudulent URLs.

The ingenuity of this attack lies in its exploitation of policy loopholes within both Google’s and PayPal’s systems. Google’s policies on ad display are exploited by ensuring that the display URL and the landing page share the same root domain, meeting the minimum compliance requirements. On the other hand, PayPal’s no-code checkout system—intended to empower small businesses by allowing them to quickly set up payment forms without needing extensive technical knowledge—becomes an unwitting tool for cybercriminals. This attack demonstrates how legitimate business tools can be repurposed for nefarious ends, highlighting the critical balance between usability and security.

The Anatomy of the Attack

At the heart of this coordinated assault is a sophisticated exploitation of platform-specific features and human behavior. The attackers begin their campaign by creating Google Search ads indistinguishable from genuine PayPal support channels. The ads incorporate familiar branding elements such as the official PayPal logo, color schemes, and even text descriptions that mirror those used by the company. By doing so, they not only mislead users into believing they are interacting with an authentic service but also bypass initial levels of scrutiny typically applied by users who recognize the PayPal brand.

Once a user clicks on the deceptive ad, they are redirected to a landing page hosted on a subdomain of paypal.com. This is a critical element of the attack: even though the page is part of the legitimate PayPal domain, it is subverted to display customized fields that prompt users to take actions that ultimately compromise their security. For instance, these pages are designed to instruct users to call specific customer support numbers. However, these numbers are not genuine—they are spoofed and controlled by the attackers.

Another layer of complexity is added by the abuse of PayPal’s no-code checkout system. This system, which is designed to facilitate straightforward payment setups for small businesses, allows users to create custom payment forms quickly. Unfortunately, the system did not have stringent algorithmic checks to detect anomalous entries or malicious payloads within its text fields. As a result, threat actors could insert fraudulent support numbers and misleading instructions directly into the payment process. This hybrid approach of leveraging a trusted platform’s infrastructure while modifying its content on the fly makes detecting the attack extremely challenging.

Exploiting Google Ads for Phishing

Google’s advertising ecosystem, particularly its Search ads, is one of the most effective tools for reaching a broad audience. In this campaign, attackers exploited a specific policy gap related to the Misleading Ad Design policy. According to the policy, ads can run as long as the display URL and the landing page share the same root domain. Attackers took full advantage of this nuance by designing landing pages on subdomains under paypal.com, even though the content was manipulated to include fraudulent elements.

This subtle exploitation of policy loopholes means that, technically, the ad and the landing page comply with Google’s guidelines. The adversaries ensured all technical criteria were met, even while the underlying intent was malicious. By operating within these allowed parameters, the attackers effectively bypassed many of the automated filters designed to catch phishing scams. This is a stark reminder that security measures, no matter how robust, can have blind spots—especially when adversaries adapt their tactics to work within the rules.

Furthermore, legitimate TLS certificates and the trusted URL structure associated with PayPal’s payment pages (specifically, paypal.com/NCP/payment/[unique ID]) bolster the credibility of the phishing attempt. These factors contribute to a false sense of security among users, who may assume that the presence of a secure connection and a familiar URL automatically equates to legitimacy. Such tactics highlight the need for enhanced vigilance and more sophisticated detection mechanisms beyond surface-level compliance.

Abusing PayPal’s No-Code Checkout System

PayPal’s no-code checkout system was designed with the best intentions—to democratize access to digital payment processing for small businesses and independent entrepreneurs. By allowing users to create payment pages quickly and easily, PayPal aimed to reduce the technical barriers to online commerce. However, as this attack demonstrates, the same ease of use can be exploited by malicious actors when appropriate safeguards are not in place.

In this context, the system’s primary vulnerability was its lack of advanced checks for the content entered into customizable fields. In the hands of an attacker, these fields become a canvas for social engineering lures. Instead of simple payment instructions, the attackers inserted customized fields instructing users to call spoofed customer support numbers. This manipulation is particularly effective because it plays on the user’s trust in PayPal’s infrastructure and the assumption that any page under paypal.com is secure and legitimate.

In response to the discovery of this abuse, PayPal has temporarily turned off custom text fields on no-code checkout pages. As of February 25, 2025, this step is part of a broader effort to implement real-time natural language processing (NLP) to detect and block fraudulent support numbers. By incorporating more advanced algorithmic analysis, PayPal aims to detect anomalies in transaction flows and prevent attackers from inserting malicious payloads into legitimate payment processes. While this is a positive step forward, the incident serves as a stark reminder of the importance of ongoing security evaluations and updates, even in systems that are considered to be low-risk.

Infrastructure Abuse and Policy Loopholes

The dual exploitation of infrastructure abuse and policy loopholes is common in modern cyberattacks. In this case, the attackers have managed to navigate the fine line between compliance and malicious activity by adhering to the technical requirements of both Google’s and PayPal’s policies while subverting their intended purposes.

Google’s ad policy updates from January 2025 introduced AI-powered landing page quality models intended to assess the legitimacy of ad destinations. However, these models could not flag the malicious pages because the attackers designed them to operate within a hybrid structure. Although the landing pages technically complied with the Site Reputation Abuse policy by being hosted on a trusted domain, the content was altered to include deceptive elements. This loophole in the automated system allowed the attack to proceed largely undetected.

Similarly, PayPal’s system, which was built to simplify transactions for small businesses, did not incorporate rigorous checks for the specific type of social engineering content that was being injected into its no-code checkout pages. This lack of robust input sanitization and anomaly detection created an opening that the attackers exploited. The phrase “validators.URL (public=True)”—referring to the input sanitization level—illustrates that even when using well-regarded libraries or validation methods, attackers can still operate within the allowed parameters if those systems are not sufficiently rigorous.

The Mobile User Factor

One significant aspect of the attack is its disproportionate impact on mobile users. Modern internet usage is heavily skewed toward mobile devices, and this vulnerability highlights a critical area of concern. When browsing on smartphones, the limited screen size often results in the address bar being hidden after navigation, which makes it easier for attackers to mask the true nature of the URL. In this campaign, a 2025 analysis by Malwarebytes revealed that 78% of victims encountered these malicious ads on their mobile devices.

The trust instilled by familiar URL structures and TLS certificates becomes even more potent on mobile platforms, where users are less likely to scrutinize URLs or verify the authenticity of on-screen information. This vulnerability calls for heightened awareness among mobile users and the development of more user-friendly security indicators that can alert users to potential threats even when the browser’s address bar is not visible.

Countermeasures by Google and PayPal

In response to the mounting evidence of these coordinated attacks, both Google and PayPal have taken steps to reinforce their defenses. Google has faced criticism for delayed enforcement of its ad policies, prompting the company to accelerate the training of its prediction models using adversarial machine learning techniques. These advanced models are designed to detect domain reputation hijacking—a tactic where attackers exploit legitimate domains to host malicious content.

On the other hand, PayPal has implemented temporary measures to turn off custom text fields in its no-code checkout system. This is coupled with real-time natural language processing integration to identify and block fraudulent support numbers before they can be used in transaction flows. Although these steps represent significant progress in mitigating the threat, both companies acknowledge that the nature of the attack requires a dynamic and ongoing approach to security.

These efforts are part of a broader shift towards more integrated and proactive security measures across digital ecosystems. The incident not only underscores the limitations of current security frameworks but also serves as a catalyst for developing unified anti-abuse standards across various platforms and services.

Recommendations for Enterprises

The recent campaign is a stark reminder of the importance of maintaining robust security protocols for businesses that rely on PayPal for processing transactions. Enterprises should consider implementing the following measures to mitigate the risk of similar attacks:

Enhanced Transaction Monitoring:

Organizations should monitor transactions closely for any anomalies. This includes scrutinizing payloads for unusual text strings or phone numbers that might indicate tampering. A proactive approach to transaction monitoring can help detect and neutralize fraudulent activities before they escalate into significant breaches.

Cross-Channel User Verification:

Enterprises should adopt cross-channel verification methods such as OAuth 2.0 to bolster security. This additional layer of authentication can help confirm the legitimacy of user requests, thereby reducing the risk of processing fraudulent support inquiries.

Strict Client-Side URL Validation:

Implementing robust client-side URL validation is essential. Developers should leverage established libraries, such as Python’s validators package, but with enhanced public IP checks and stricter validation criteria. This ensures that any attempt to manipulate URL parameters is promptly detected and mitigated.

Regular Security Audits:

In addition to technological safeguards, regular security audits are critical. These audits should identify potential vulnerabilities within third-party integrations and payment processing systems. By continuously evaluating their systems’ security posture, enterprises can stay ahead of evolving threats.

Training and Awareness:

Educating staff about the latest cyber threats and the tactics used by attackers is equally essential. Comprehensive training programs can empower employees to identify suspicious behavior and respond appropriately, adding another layer of defense against phishing and social engineering attacks.

Guidance for End Users

While enterprises play a pivotal role in safeguarding digital transactions, individual users must remain vigilant. The success of these attacks often depends on human error, and as such, end users can take several steps to protect themselves:

Verify Before You Act:

End users should be cautious when encountering support numbers or payment instructions embedded in digital content. Instead of relying solely on information presented on-screen, users are encouraged to verify support details by visiting official portals or contacting customer service through known channels.

Bookmark Official Portals:

A simple yet effective strategy is to bookmark official websites. For instance, bookmarking PayPal’s official portal can prevent users from inadvertently navigating to fraudulent pages through search engine results. This small habit can significantly reduce the risk of falling victim to phishing attempts.

Use Ad-Blocking Tools:

Installing reputable ad-blocking extensions can help filter out sponsored results that may include malicious ads. While these tools are not foolproof, they can be an additional barrier against deceptive advertisements that mimic legitimate services.

Stay Informed:

Awareness is a powerful tool against cyber threats. End users should stay updated on the latest security news and advisories from trusted sources. Regularly reviewing updates on phishing scams, fraudulent activities, and security best practices can enhance one’s ability to recognize and avoid potential threats.

Exercise Caution on Mobile Devices:

Given the higher incidence of these attacks on mobile devices, users should exercise extra care when browsing smartphones or tablets. They should scrutinize URLs and use mobile security tools that provide real-time warnings when navigating potentially unsafe sites.

Future Outlook and the Need for Unified Standards

The current incident is more than an isolated event—it is indicative of a broader trend in which attackers continuously evolve their strategies to exploit technical vulnerabilities and human behavior. The dual exploitation of Google’s ad policies and PayPal’s merchant tools is a wake-up call for all stakeholders in the digital ecosystem.

Moving forward, there is an urgent need for unified anti-abuse standards that can be applied across Software as a Service (SaaS) platforms. Such standards help ensure that features designed for ease of use and business efficiency are not repurposed for malicious intent. By fostering collaboration among industry leaders, regulators, and security experts, a more cohesive and robust framework can be established to preempt and neutralize these emerging threats.

Both Google and PayPal have taken steps to address the vulnerabilities exploited in this campaign. However, the sophistication of the attack and the dynamic nature of cyber threats means that security measures must be continually reassessed and updated. Shortly, we expect to see further integration of advanced machine-learning techniques and real-time analytics across digital platforms to identify and thwart malicious activities more effectively.

Moreover, as parallel campaigns exploit other popular infrastructures—such as YouTube and Gmail—the need for cross-platform collaboration becomes even more pronounced. A unified approach to cybersecurity, which spans multiple digital services, could drastically reduce the risk of similar attacks in the future.

Conclusion

The coordinated campaign exploiting vulnerabilities in Google’s advertising ecosystem and PayPal’s merchant tools is a stark reminder of the evolving threat landscape. By weaponizing legitimate platform features, attackers find innovative ways to bypass traditional security measures and deceive users into disclosing sensitive information. The sophistication of the attack—ranging from the exploitation of policy loopholes to the abuse of trusted digital infrastructure—underscores the necessity for enterprises and individual users to remain vigilant.

For businesses, this incident serves as a call to action to enhance transaction monitoring, adopt robust authentication methods, and regularly audit security protocols. For end users, it is a reminder to verify information independently, utilize trusted resources, and stay informed about the latest security developments.

Ultimately, the success of these defensive measures depends on a concerted effort from all stakeholders. As attackers continue to innovate, so too must the strategies employed by security professionals. Developing unified, cross-platform security standards is the key to neutralizing these emerging threats and ensuring a safer digital environment for everyone.

In a world where trust is both a currency and a vulnerability, understanding the mechanics of these attacks and taking proactive steps is not just advisable—it is essential. Through continuous innovation, collaboration, and education, we can begin to close the gaps exploited by cybercriminals and build a more resilient digital future.

By staying informed and adopting a multi-layered security approach, enterprises and individual users can reduce their exposure to these increasingly sophisticated attacks. The path forward lies in technological advancements, robust policy enforcement, and a vigilant user base. Only then can we hope to stay one step ahead in the never-ending battle against cybercrime?

For more:

https://cybersecuritynews.com/hackers-abused-google-and-paypals-infrastructure/