Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Ahrefs impersonation and Google Ads hijacking: what teams need


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Attackers are using malvertising that impersonates Ahrefs on Google Search to push AITM phishing pages that steal Google accounts and sessions, expanding a campaign already seen against ad manager users, according to Push Security. The real problem is that ad manager identities are also enterprise access paths, so browser-based interception is now an identity control issue, not just a phishing problem.

NHIMG editorial — based on content published by Push Security: Ahrefs impersonation attacks and Google Ads hijacking analysis

By the numbers:

Questions worth separating out

Q: What breaks when ad manager accounts are treated as low-risk marketing access?

A: What breaks is the assumption that compromise stays inside the ad platform.

Q: Why do search-delivered phishing attacks bypass so many controls?

A: They bypass controls because the user is redirected in the browser, not through email.

Q: How do security teams know if account linking is creating hidden identity risk?

A: Look for login flows where one email address can recover or re-open access across multiple identity providers without a fresh assurance step.

Practitioner guidance

  • Classify ad manager accounts as privileged identities Inventory Google Ads, Ad Manager, and MCC accounts as high-risk identities, then map every connected Workspace and SSO-enabled application those accounts can reach.
  • Deploy browser-time phishing interception Use controls that inspect the rendered page and user action in real time, because search-delivered phishing often bypasses email filters and gateway inspection.
  • Reduce account-linking exposure Review whether email-based account matching or new-login-method recovery paths allow a compromised Google identity to reach other applications without fresh verification.

What's in the full analysis

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • Exact indicators of compromise from the Ahrefs and Semrush impersonation chain
  • Screenshots and attack-flow evidence showing how the fake Google sign-in page captures the session
  • Additional domain patterns, hosting infrastructure, and update details for defenders tracking active campaigns
  • Browser-side detection and blocking behaviour used to stop the attack in real time

👉 Read Push Security's analysis of Ahrefs impersonation and Google Ads hijacking →

Ahrefs impersonation and Google Ads hijacking: what teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser-mediated identity attacks have become an enterprise access problem, not a phishing problem. The campaign works because the browser is now the execution point where identity is resolved, sessions are minted, and downstream access is inherited. Email controls do not see the path, and network controls often see only legitimate hosting or search traffic. Practitioners should treat browser session control as part of identity governance, not a separate security layer.

A few things that frame the scale:

  • 3 in 5 apps also allow you to access an account using a new login method without doing any further verification checks, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how fast access paths can outgrow oversight.

A question worth separating out:

Q: Should organisations rely on MFA alone against AITM phishing?

A: No. MFA can be completed inside an AITM phishing page, which means the attacker may still capture a valid session after the user authenticates. Organisations need controls that stop session theft at the browser, validate abnormal login context, and limit what a newly minted session can access.

👉 Read our full editorial: Ahrefs impersonation attacks expose ad-manager identity risk



   
ReplyQuote
Share: