A report from Varonis says a cloaking service called 1Campaign helps operators run malicious Google Ads that pass automated screening and remain online for at least three years, with one observed campaign blocking 99.4% of visitors and redirecting about 0.6% to attacker pages.
KEY FACTS
- Incident 1Campaign cloaking service runs malicious Google Ads
- Operator Developer using the name ‘DuppyMeister’
- Active At least three years
- Filtering One campaign blocked 99.4% of visitors and delivered 0.6%
The platform provides a dashboard that lets customers set campaign parameters and launch ads. It includes a Google Ads launcher tool the developer says can help bypass policy limits and impersonate legitimate brands.
The system filters visitors in real time by geography, internet service provider, device characteristics and other signals. It assigns a fraud risk score from 0 to 100 based on checks such as cloud providers, data centers, VPNs and security vendors.
Traffic attributed to the operation was observed in the United States, Canada, the Netherlands, China, Germany, France, Japan, Hungary and Albania. Operators can concentrate lures on regions where they are relevant while excluding countries with more security scrutiny.
Static URL scanning is less effective against this cloaking. Recommended detection steps include using realistic browser fingerprints, rotating through diverse IP pools and user-agent configurations. Users are advised to avoid promoted search results, bookmark official distribution channels and check URLs before entering credentials.
WHY IT MATTERS
Cloaking that bypasses automated ad screening can extend the lifetime of fraudulent campaigns and increase the chance that promoted search results deliver phishing or malware. The techniques used make static scanners less effective and raise the need for stronger analysis and user caution.