Google Ad Manager account takeovers: what IAM teams need to know

TL;DR: Attackers are targeting Google Ad Manager accounts to run malvertising, ad fraud, account resale, and extortion schemes, while also using hijacked accounts to reach broader SSO-linked services and monetise existing ad spend, according to Push Security. The security gap is not just phishing resistance, but browser-level identity protection for high-value commercial accounts.

NHIMG editorial — based on content published by Push Security: Attackers are going out of their way to target Google Ad Manager accounts

By the numbers:

• 3 in 5 allow you to access an account using a new login method without doing any further verification checks.

Questions worth separating out

Q: How should security teams reduce the risk of Google Ad Manager account takeover?

A: Treat ad accounts as privileged identities, not marketing-only logins.

Q: Why do compromised ad accounts create more risk than simple ad fraud?

A: Because the account already carries trust, spend authority, and often downstream access through SSO.

Q: What breaks when marketing identities are excluded from identity governance?

A: The organisation loses visibility into accounts that can publish, spend, and federate into other systems.

Practitioner guidance

• Map ad accounts to downstream identity reach Inventory every Google Ad Manager, MCC, and related marketing identity, then document which SSO-connected apps, billing flows, and publisher accounts each one can reach.
• Monitor campaign changes as identity events Alert on new campaigns, destination edits, billing changes, and unusual spend spikes as security events, not only as marketing operations changes.
• Add browser-layer detection for malvertising paths Use controls that can inspect the user session, page destination, and post-click behaviour because email and endpoint-only controls do not reliably see search-delivered phishing.

What's in the full article

Push Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Examples of Google Ads and Calendly-themed lure chains used against marketing teams
• Attack path detail for malvertising, including AITM phishing, infostealers, ClickFix, and ConsentFix
• Ad fraud and account resale mechanics, including how budgets are abused and accounts are sold
• Discussion of browser-only detection implications for teams defending against search-delivered attacks

👉 Read Push Security's analysis of Google Ad Manager account takeovers and malvertising →

Google Ad Manager account takeovers: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →