A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers.

1Campaign is a cloaking service that passes Google’s screening process and shows malicious content only to real potential victims. Security researchers and automated scanners are served benign white pages.

The operation has been active for at least three years and is managed by a developer using the name ‘DuppyMeister,’ according to a report from data security company Varonis.

“The tool passes Google's screening, filters out security researchers, and keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites,” the researchers say.

1Campaign provides “customers” with a user-friendly dashboard where they can get an overview of their operations and set the parameters for their campaigns.

The platform can filter visitors in real time, directing traffic to landing pages based on predefined criteria, including geography, internet service provider (ISP), and device characteristics.

The researchers say that this targeted approach allows attackers to concentrate on users in regions where the phishing lure is relevant, while filtering out traffic from countries with a higher likelihood of security scrutiny or scanning activity. 

In one instance, Varonis observed aggressive filtering that blocked 99.4% of 1,676 visitors accessing the malicious ads. This translates into a success rate of just 0.6%, or 10 visitors.

The system evaluates each visitor and assigns a fraud risk score between 0 and 100. This reflects the likelihood of non-genuine visitors, and is derived from checking infrastructure details such as cloud providers, data centers, VPNs, and security vendors.

"Visitors from Microsoft Corporation, Google, Tencent Cloud Computing, OVH Hosting, and other cloud providers are automatically flagged with high fraud scores and blocked," Varonis says in a report today.

Based on IP address ranges, ISP, and behavioral patterns, the system can also determine if the malicious ads are accessed by security scanners.

Varonis has observed traffic linked to 1Campaign being distributed in the United States, Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania.

The cybercrime platform also offers a Google Ads launcher tool that helps operators launch both malicious and benign campaigns. The developer claims that this tool enables bypassing Google’s policy limitations and impersonating legitimate brands in ads.

Despite Google introducing multiple safeguards, its ad platform is still used to promote fraud, malware, and crypto-drainers. 1Campaign stands out, though, as it is designed specifically to launch malicious ads that pass Google's automatic inspection and likely survive until victims report them or the campaign is reported manually.

Such a cloaking system makes static URL scanning less effective. Varonis says that using realistic browser fingerprints and patterns that mimic human interaction would render better analysis and detection results.

For automated detection, Varonis recommends rotating through a diverse IP pool and user-agent configurations to avoid consistent fingerprinting.

Users are advised to avoid promoted search results, or at least treat them with suspicion, and bookmark official software distribution channels.

Double-checking the URL in the address bar is also recommended before entering account credentials or other sensitive information.