Ahrefs impersonation and Google Ads hijacking: what teams need

TL;DR: Attackers are using malvertising that impersonates Ahrefs on Google Search to push AITM phishing pages that steal Google accounts and sessions, expanding a campaign already seen against ad manager users, according to Push Security. The real problem is that ad manager identities are also enterprise access paths, so browser-based interception is now an identity control issue, not just a phishing problem.

NHIMG editorial — based on content published by Push Security: Ahrefs impersonation attacks and Google Ads hijacking analysis

By the numbers:

• 3 in 5 apps also allow you to access an account using a new login method without doing any further verification checks.
• 4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search.
• Ad fraud cost advertisers tens of billions, potentially nearing $100 billion or more, with projections reaching $172 billion by 2028.

Questions worth separating out

Q: What breaks when ad manager accounts are treated as low-risk marketing access?

A: What breaks is the assumption that compromise stays inside the ad platform.

Q: Why do search-delivered phishing attacks bypass so many controls?

A: They bypass controls because the user is redirected in the browser, not through email.

Q: How do security teams know if account linking is creating hidden identity risk?

A: Look for login flows where one email address can recover or re-open access across multiple identity providers without a fresh assurance step.

Practitioner guidance

• Classify ad manager accounts as privileged identities Inventory Google Ads, Ad Manager, and MCC accounts as high-risk identities, then map every connected Workspace and SSO-enabled application those accounts can reach.
• Deploy browser-time phishing interception Use controls that inspect the rendered page and user action in real time, because search-delivered phishing often bypasses email filters and gateway inspection.
• Reduce account-linking exposure Review whether email-based account matching or new-login-method recovery paths allow a compromised Google identity to reach other applications without fresh verification.

What's in the full analysis

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Exact indicators of compromise from the Ahrefs and Semrush impersonation chain
• Screenshots and attack-flow evidence showing how the fake Google sign-in page captures the session
• Additional domain patterns, hosting infrastructure, and update details for defenders tracking active campaigns
• Browser-side detection and blocking behaviour used to stop the attack in real time

👉 Read Push Security's analysis of Ahrefs impersonation and Google Ads hijacking →

Ahrefs impersonation and Google Ads hijacking: what teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →