TL;DR: Attackers are targeting Google Ad Manager accounts to run malvertising, ad fraud, account resale, and extortion schemes, while also using hijacked accounts to reach broader SSO-linked services and monetise existing ad spend, according to Push Security. The security gap is not just phishing resistance, but browser-level identity protection for high-value commercial accounts.
NHIMG editorial — based on content published by Push Security: Attackers are going out of their way to target Google Ad Manager accounts
By the numbers:
- 3 in 5 allow you to access an account using a new login method without doing any further verification checks.
Questions worth separating out
Q: How should security teams reduce the risk of Google Ad Manager account takeover?
A: Treat ad accounts as privileged identities, not marketing-only logins.
Q: Why do compromised ad accounts create more risk than simple ad fraud?
A: Because the account already carries trust, spend authority, and often downstream access through SSO.
Q: What breaks when marketing identities are excluded from identity governance?
A: The organisation loses visibility into accounts that can publish, spend, and federate into other systems.
Practitioner guidance
- Map ad accounts to downstream identity reach Inventory every Google Ad Manager, MCC, and related marketing identity, then document which SSO-connected apps, billing flows, and publisher accounts each one can reach.
- Monitor campaign changes as identity events Alert on new campaigns, destination edits, billing changes, and unusual spend spikes as security events, not only as marketing operations changes.
- Add browser-layer detection for malvertising paths Use controls that can inspect the user session, page destination, and post-click behaviour because email and endpoint-only controls do not reliably see search-delivered phishing.
What's in the full article
Push Security's full analysis covers the operational detail this post intentionally leaves for the source:
- Examples of Google Ads and Calendly-themed lure chains used against marketing teams
- Attack path detail for malvertising, including AITM phishing, infostealers, ClickFix, and ConsentFix
- Ad fraud and account resale mechanics, including how budgets are abused and accounts are sold
- Discussion of browser-only detection implications for teams defending against search-delivered attacks
👉 Read Push Security's analysis of Google Ad Manager account takeovers and malvertising →
Google Ad Manager account takeovers: what IAM teams need to know?
Explore further
High-spend ad accounts are now identity assets, not just marketing assets. The moment an account can move budget, publish content, and inherit trust, it becomes a non-human identity with real blast radius. That is why compromise of Google Ad Manager accounts is best understood as access governance failure, not simply phishing success. Practitioners should treat ad administration as part of identity security scope.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can teams tell if browser-based phishing controls are working?
A: They should see fewer successful credential captures from search-delivered lures, faster detection of malicious redirect chains, and lower rates of account abuse after click-through. If malicious ads still reach users and session theft still succeeds, email-first controls are not enough. The control should reduce post-click compromise, not just block known phishing messages.
👉 Read our full editorial: Google Ad Manager account takeovers are powering malvertising scams