Spreading Malware! SEO & Mastering Google Ads

How Hackers get full Private & Unique Malware Logs & Traffic

7 min readOct 14, 2023

Follow XIT on medium & UglyCompany on Telegram for more..

Few Days Back, on May 02 2023, LOBSHOT: A Stealthy, Financial Trojan and Info Stealer delivered through Google Ads. In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging this technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT.

So today in this blog we will learn how these thing works and how hackers are using SEO techniques to serve malwares through Google Ads. Do you know what methods are employed in the field of digital marketing? We will discuss Google AdWords and SEO in this post, with a focus on moral and appropriate use. It’s critical to understand these principles for your own personal development as well as for the safety of your online activities.

1) Hosting, Domain, WordPress

In the world of digital technology, free hosting, cheap domain registration, and free content management systems like WordPress offer fantastic opportunities while having potential misuse of these platforms by individuals with malicious intentions.

Cybercriminals often take advantage of free services to host malicious content, including phishing websites, malware distribution, and illegal content. Free domains, which are easily disposable, are particularly appealing to these individuals, as they can quickly evade detection.

Why are free domains and hosting services popular among malicious users?

Answer: Free services offer anonymity, low overhead, and quick setup, making it easier for malicious users to conduct their activities.

Hackers often exploit vulnerabilities in poorly maintained or outdated WordPress sites. Malware can be injected into websites, affecting both the site’s owner and its visitors. These compromised websites may be used for distributing malicious software, stealing user data, or conducting phishing attacks.

Free Hosting:

  1. 000WebHost
  2. InfinityFree
  3. AwardSpace
  4. Freehosting.com
  5. Byet.Host
  6. FreeHostingEU
  7. FreeWebHostingArea
  8. x10Hosting
  9. 5GBFree
  10. FreeHostingNoAds
  11. FreeHostia
  12. ProFreeHost
  13. Zymic
  14. FreeWebHostingHost
  15. GoogieHost
  16. FreeHosting.io
  17. InfiniteFree
  18. Hostinger Free
  19. AwardNinja
  20. 000WebHostapp

Affordable Domain Registration:

  1. Namecheap
  2. GoDaddy
  3. Name.com
  4. Google Domains
  5. Bluehost
  6. HostGator
  7. DreamHost
  8. iPage
  9. NameSilo
  10. Network Solutions
  11. 1&1 IONOS
  12. HostPapa
  13. Namecheap Domains
  14. HostMonster
  15. Hostwinds
  16. HostMetro
  17. NameKing
  18. NameBright
  19. Dotster
  20. NamePal

2) Keyword / Keyword density — Metadata

Keyword stuffing is the practice of overloading web content with keywords to manipulate search engine rankings.

By doing this, malicious users attempt to improve their content’s visibility in search results, even if it’s not genuinely relevant. As shown below:

Misleading Metadata

Malicious users may provide misleading or false metadata to deceive users and search engines. This can include using deceptive titles, descriptions, and tags that do not accurately represent the content. As shown below:

3) Cloaca

Cloaca” is a term primarily used in the context of cloaking in digital marketing and SEO. Cloaking is a deceptive and unethical practice where the content presented to search engine crawlers is different from what is shown to users. Here’s how it can be maliciously used:

Deceptive Cloaking: In malicious cloaking, website owners present one set of content to search engine crawlers and another to human visitors. This can include hiding malicious content or engaging in black-hat SEO practices to improve search engine rankings.

Below is an PHP representation of cloaking:

// Define the user's category (you can set this based on your application logic)

$userCategory = "people"; // Change this to "victims" to show different content

if ($userCategory === "people") {
echo "Hello people! This is content only for people.";
} elseif ($userCategory === "victims") {
echo "Hello victims! This is content only for victims.";
} else {
echo "Hello unknown user!";

4) Black, White Pages

Black, White Pages” can refer to the practice of creating web pages that have hidden or deceptive elements. Here’s how it can be maliciously used:

A) Black Pages with Malware

In the context of malicious use, “black pages” are web pages created with the intent to harm or deceive visitors. These pages may contain malware, phishing forms, or malicious scripts. Visitors to these black pages could unknowingly download malware or provide sensitive information to cybercriminals.

B) White Pages for Deceptive Phishing

“White pages” can be used deceptively for phishing attacks. These pages may appear legitimate but are designed to steal login credentials or personal information. Victims may enter their details, thinking they are interacting with a trusted website, but instead, their information is compromised.

5) Use Logs For Google Ads

Using logs for Google Ads can be a legitimate and valuable practice for campaign optimization. However, it can also be maliciously exploited for fraudulent purposes. Here’s a scenario to the malicious use of logs in Google Ads:

Click Fraud through Log Manipulation

In this scenario, a malicious actor generates fraudulent clicks on Google Ads to exhaust a competitor’s ad budget and skew campaign data. The fraudster accesses logs and manipulates the data to make it appear as if legitimate clicks were generated. This falsely inflates the ad spend for a target advertiser.

6) Bypass 3D Cards

In today’s digital age, online transactions have become an integral part of our lives. With the convenience of online shopping and payments, it’s crucial to be aware of security measures, such as 3D Secure verification, that protect your financial information.

What is 3D Secure Verification?
Answer: 3D Secure is an additional layer of security for online credit and debit card transactions. (OTP) It adds an extra step to verify your identity and protect you from unauthorized use of your card.

When making an online payment, you may be redirected to your card issuer’s website or receive a one-time code via SMS. This code is required to complete the transaction, ensuring that only the legitimate cardholder can make the payment. Cybercriminals may impersonate bank representatives over the phone and use persuasive tactics to trick you into revealing your 3D Secure code. Legitimate financial institutions will never ask you for this information over the phone.

7) Warmup Account

Warming up an account is a legitimate practice used to establish credibility and optimize the performance of a Google Ads campaign. Warming up a Google Ads account involves gradually increasing its activity to build trust with the platform.

When you create a new Google Ads account, it starts with limited activity, and Google closely monitors its performance. To avoid potential issues, it’s important to gradually increase your account’s activity.

New accounts may have restrictions on the number of ads, keywords, and budget limits. These restrictions are gradually lifted as the account builds a history of consistent and trustworthy activity. It’s essential to maintain a regular ad spend and engagement level to establish trust with the platform.

Focus on creating high-quality ads and targeting the right keywords rather than rapidly increasing ad spend. Quality content and relevance are crucial for long-term success. As your account builds trust and history, you can gradually scale up your campaigns and budgets while maintaining high-quality practices.

Remember: Never engage in click fraud or artificially inflate clicks to warm up an account. Google has strict policies against click fraud.

8) Run Campaign

Running Advertising Campaigns with following Malicious Intent:

A) Phishing Scams (fake websites designed to steal personal or financial information)

B) Malware Distribution (can serve as vehicles for distributing malware)

C) Deceptive Offers (ads with enticing offers, discounts, or prizes, only to lure users into schemes that require payment or personal information for non-existent products or services)

D) Misleading Content (mislead users by promising one thing in an ad but delivering something entirely different on their website.)

9) Double Budget For Get x2 Clicks

Misuse of “Double Budget for Get x2 Clicks” involves increased performance to deliver subpar results to more public users, effectively exploiting the trust of advertisers for personal gain.

10) Index

Index” refers to the process of adding web pages to a search engine’s database or repository so that they can be retrieved and displayed in search results when users enter relevant queries. Here’s how indexing works:

Search engines like Google use automated programs called web crawlers (or spiders) to browse the web and discover new web pages. These crawlers follow links from one page to another, creating an index of the content they find. When a user enters a search query, the search engine quickly retrieves relevant results from its index. It ranks these results based on various factors like relevance, quality, and other algorithms.

11) SEO Exploit

Some common examples of SEO exploits include keyword stuffing (overloading content with keywords), cloaking (showing different content to search engines and users), and link schemes (manipulating backlinks to artificially increase a website’s authority). Most of it are explained above in this blog & rest of it can be find on GitHub.

If you learnt anything from this blog, we’d appreciate your engagement — give it a clap and consider sharing to help spread the knowledge. Also Follow XIT on medium & UglyCompany on Telegram. Your support means a lot to us!

A supporter is worth a thousand followers. 😊




SHHH! The voice of none is stronger than the voice of one.