Cybercriminals Exploit 1Campaign to Evade Google Ads Screening and Deploy Malicious Advertisements
A newly discovered cloaking platform, 1Campaign, is enabling cybercriminals to circumvent Google’s ad review processes, facilitating the dissemination of malicious advertisements that pose significant risks to users, including phishing scams and cryptocurrency theft.
Google Ads is a widely trusted online advertising network, with millions of users clicking on sponsored search results daily, expecting to be directed to legitimate businesses. Historically, attackers have attempted to exploit this trust by placing harmful ads; however, Google’s stringent screening processes have typically thwarted such efforts. The emergence of 1Campaign is now undermining these defenses.
Designed specifically to bypass Google’s ad review workflow, 1Campaign allows threat actors to run fraudulent campaigns that include phishing pages, counterfeit software downloads, and cryptocurrency drainer sites without detection. The platform’s developer, known by the alias DuppyMeister, has maintained 1Campaign for over three years, offering dedicated support through Telegram channels.
1Campaign integrates real-time visitor filtering, fraud scoring, geographic targeting, and a bot guard script generator into a single dashboard. This comprehensive suite of tools makes it accessible even to attackers with minimal technical expertise, thereby lowering the barrier for large-scale ad fraud.
Researchers at Varonis have analyzed 1Campaign, revealing its sophisticated engineering designed to evade security teams. The platform’s core function is cloaking—presenting a benign white page to ad reviewers and automated scanners while redirecting real visitors to attacker-controlled phishing or scam pages. As a result, Google’s reviewers see only the clean version, allowing the malicious ad to pass inspection and remain active until victims report it or the campaign is manually flagged.
The impact of 1Campaign is already evident. In one analyzed campaign named Blockbyblockchain, targeting the domain bitcoinhorizon.pro, the platform processed 1,676 visitors, approving only 10—a mere 0.6% pass rate. The dashboard indicated 4,300 total visitors, with 99.2% blocked, highlighting the platform’s aggressive filtering of security infrastructure.
How 1Campaign Filters and Targets Its Victims
A key feature of 1Campaign is its real-time visitor filtering and fraud scoring engine. Upon landing on a cloaked page, each visitor is assigned a fraud score ranging from 0 to 100. Traffic from entities such as Microsoft Corporation, Google, Tencent Cloud Computing, and OVH Hosting is automatically blocked, even if scores are low, as the system identifies these IP ranges as automated scanners based on their ISP and network identifiers.
The filtering operates across multiple layers:
– IP Reputation Checks: Against known data centers and VPN exit nodes.
– Device Fingerprinting: To detect headless browsers and automation tools.
– Behavioral Signals: Such as unusually fast page loads or missing JavaScript execution.
Visitors triggering any of these checks are silently redirected to the benign white page, keeping the attacker’s content hidden from security teams.
Geographic and device targeting further enhance precision. Operators can restrict campaigns to specific countries and device types, focusing on regions where phishing content is most effective while filtering out traffic from areas common to security researchers. Observed traffic has originated from the United States, Netherlands, Canada, China, Germany, France, Hungary, Albania, and Japan.
For ad placement, 1Campaign includes a built-in Google Ads launcher that assists operators in deploying both malicious and clean campaigns simultaneously. The developer claims this feature bypasses Google Ads policy restrictions, allowing operators to use any branding or wording, including impersonating legitimate businesses.
Implications and Recommendations
The emergence of 1Campaign underscores the evolving tactics of cybercriminals who exploit trusted platforms to conduct malicious activities. Security teams should recognize that static URL scanning is unreliable against cloaked infrastructure. Effective detection requires tools that emulate genuine human browser behavior, rotate IP addresses, and engage with forms and authentication prompts that cloakers use to screen out scanners.
Individual users are advised to verify URLs before clicking on sponsored results, avoid downloading software through ad links, and promptly report suspicious Google Ads. Organizations should flag confirmed phishing indicators of compromise, such as the domain bitcoinhorizon.pro, which is directly linked to active 1Campaign operations.
By staying vigilant and implementing robust security measures, both users and organizations can mitigate the risks posed by sophisticated platforms like 1Campaign.
