Security researchers have uncovered a coordinated attack campaign exploiting vulnerabilities in Google’s advertising ecosystem and PayPal’s merchant tools to steal sensitive user data.
The operation leverages Google Search ads impersonating PayPal’s official support channels and abuses PayPal’s no-code checkout system (paypal.com/ncp/payment/[unique ID]) to create fraudulent payment pages.
This multi-layered attack chain bypasses traditional phishing detection mechanisms by weaponizing legitimate platform features, marking a significant escalation in social engineering tactics.
.png
)
Google Ads and PayPal Phishing
The campaign begins with threat actors deploying Google Search ads that mimic PayPal’s branding, including replicated logos and meta descriptions.
By exploiting a policy gap in Google’s Misleading Ad Design policy—which permits ads as long as the display URL and landing page share the same root domain—attackers direct users to subdomains under paypal.com.
These domains host malicious pay links generated via PayPal’s no-code checkout, a legitimate tool designed for small businesses to create payment forms without coding expertise.
The fraudulent pages, while technically hosted on PayPal’s infrastructure, include customized fields prompting users to call spoofed customer support numbers.
Mobile users are disproportionately affected due to screen size constraints that hide browser address bars after navigation.
A 2025 Malwarebytes analysis found that 78% of victims encountered these ads on smartphones, where the paypal.com/ncp/payment/ URL structure and TLS certificates lent false legitimacy to the pages.
Infrastructure Abuse and Policy Loopholes
Google’s January 2025 ad policy updates, which introduced AI-powered landing page quality models, failed to flag these malicious pages due to their hybrid structure.
The attackers’ pages technically complied with Google’s Site Reputation Abuse policy by hosting content on PayPal’s domain, despite containing fraudulent contact information.
Meanwhile, PayPal’s no-code system lacked algorithmic checks for anomalous payloads in payment form text fields, allowing attackers to insert social engineering lures directly into transaction flows.
PayPal has temporarily disabled custom text fields in no-code checkout pages as of February 25, 2025, while implementing real-time natural language processing to detect fraudulent support numbers.
Google, facing criticism over delayed ad policy enforcement, has accelerated its prediction model training using adversarial machine learning to detect domain reputation hijacking.
Input sanitization at the level of validators.url(public=True) isn’t sufficient when attackers operate within allowed parameters”.
Recommendations for Enterprises and Users
Organizations accepting PayPal payments should:
- Monitor transactions for payloads containing phone numbers or unusual text strings
- Implement cross-channel user verification via OAuth 2.0 before processing support requests
- Deploy client-side URL validation using libraries like Python’s validators package with strict public IP checks
End users are advised to:
- Avoid calling support numbers embedded in payment forms
- Bookmark official PayPal portals instead of searching via Google
- Install ad-blocking extensions that filter sponsored results
As of publication, Google has removed 63% of identified malicious ads under its updated Site Reputation Abuse policy, but parallel campaigns exploiting YouTube and Gmail infrastructure suggest this attack methodology will proliferate across platforms.
The incident underscores the urgent need for unified anti-abuse standards across SaaS ecosystems.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
