Can you imagine you manage hundreds of clients in your Google Ads Manager Accounts (MCC) gets hijacked. Or your Google Account and your ad campaigns gets hijacked due to an MCC hijack? Well, this stuff happens and it can be incredibly scary and painful.
Craig Skalko posted on LinkedIn that his "company's entire Google Ads MCC was hijacked at 12:30 am." He added that his had two-factor on his account and is not sure how something like this can happen.
He wrote:
Neither I nor anyone on my team can access it, or any of our accounts. We received emails of an unknown administrative user being added. This person then linked their own MCC to many of our accounts. That's all we know.We have 2FA enabled on all accounts. No idea how this happened. Is there anyone who has dealt with this and can help?
I have heard this happening on and off throughout the past year. Almost all of these folks said they have two-factor set up and they don't know how this happened.
The suspicion is that it is over taken through a phishing email that looks like you are giving access to your account through legit means, but it is really a fake.
Alex Sanivsky responded that he got one of these attempts and shared the fake email. He wrote:
See the email address? Looks like access is sent from Google, but it's notIf your team had asked for access from someone who was reaching out to you to audit their account, and they sent you something like this, when you click "accept," it goes to the "continue page" that looks ecatctly like google's, but has a different URL - you click continue and then it asks you to log in to your google account(even tho you're logged in) - you enter the credentials of the account you have access to your MCC and then there you go if you did they now received your credentials (but you are saying you had 2-step, so not sure).
This is something I had a few weeks ago - they are getting smarter...
Here is the email:
If you look at the thread on LinkedIn, you will see tons of comments from concerned advertisers. Plus, you will see others who had the same issue.
What likely happens when they take over your account is that they put up a bunch of ads that lead to malware or other phishing attempts. They spend down your budgets and limits and put your whole account at risk.
Here is another recent thread on the Google Ads Forums with a similar situation ands this post from Ben A. on LinkedIn. There are plenty of these threads over the past year with these complaints, too many for me to link to but here are some on Reddit (more here). Even Adexchanger wrote this up 10 months ago.
I will say, Ginny Marvin, the Google Ads Liaison, did reply "Hi Craig, I've followed up via DM." But that was almost 10 hours after he posted.
What a nightmare and I have a feeling this is not such an uncommon issue for advertisers. The scarier part is if someone gains access but is able to run ads without you even noticing, for weeks, months or longer? I am not sure if that is happening to anyone but this is just a scary situation.
I asked Craig for an update last night, 16 hours after he first posted about the situation. He told me it was still not resolved by that point. He wrote:
1. We've submitted support tickets and filled out the Compromised Account form, as have several of our clients who own their own sub-MCCs beneath our parent MCC. One of them has received notice that they will hear something by Dec 2nd, so we are all lobbying to expedite. Unfortunately another client was told that there was no fraudulent activity in their account, despite all the proof being presented, so we are unsure what they should do.2. We've seen several screenshots from clients and a Google rep who could see some things in at least some accounts. The hackers are fraudulently running campaigns in the existing accounts and racking up tens of thousand in ad spend in the last 24 hours alone.
3. I've cancelled all company credit cards and also delinked our bank from our monthly payments profile; however, there are still charges accruing and I honestly don't know how to stop that at this point.
Google does have this help document named What to do if your account is compromised but if this is an MCC account, I don't think it stops the ad spend.
Just a week or so ago, Google Ads representative Adesh, posted a thread in the Google Ads help forum named Best Practices to Keep Your Account Secure. I wonder why? It says:
"Google has evidence that bad actors are using phishing emails and other tactics to steal login credentials. With the busy holiday season coming up, we encourage you to review common hijacking tactics, and implement the following protective measures to further safeguard your accounts:
- Phishing Attempts: Stay vigilant for common red flags including unsolicited emails or messages, especially from suspicious or unknown senders, that ask for your login credentials; campaigns using phony Google job offers & training courses have been used to trick unsuspecting users.
- Dormant accounts: Delete inactive/dormant accounts (that are ripe for hijacking) and delete any users who no longer need access to the account (e.g. users who have left your company). Conduct regular audits.
- Logins from new or unrecognized devices: these can be an indicator that a hijacking has occurred.
- New users and Google ads accounts added to MCCs: this activity is common following a hijacking.
For enhanced security, consider the following: Enable Two Factor Authentication (2FA): Also known as MFA or 2SV, this adds an extra layer of security by requiring a second form of verification. See Help Center page. Thank you for keeping the Google Ads ecosystem safe!
Google Ads Community Team"
I am not 100% sure how these scammers are gaining access, but I do think if one of the account holders falls for the phishing attempt, it obviously gives them the keys to access all the accounts under the MCC.
Forum discussion at LinkedIn.
