Blinded by the Budget: A Warning to Agencies on Fake Briefs and Ad Account Hijacking

Cybercriminals are targeting small digital marketing agencies with fake business briefs. Over the past month, we caught two separate attempts designed to infiltrate our systems. This is not an uncoordinated spray-and-pray operation; it is a deliberate campaign aiming directly at agency access permissions.

The first attempt arrived through our website inquiry form, masquerading as a high-value paid media brief for Grundfos, the global water technology company. The outreach included a highly specific brief and a realistic budget, followed quickly by what looked like an official Google Ads invitation.

The email notification looked identical to a standard Google read-only invitation.

The giveaway was the destination URL hidden behind the button. Instead of pointing to a verified Google domain, the link directed to “ads.r1google.com/nav/startacceptinvitevid”. This technique exploits a known weakness where attackers use domain spoofing and custom redirects to deploy credential harvesting scripts. Clicking that link allows attackers to intercept active session tokens, giving them a backdoor to bypass multi-factor authentication (MFA).

The second attempt shifted from credential phishing to direct malware deployment. A lead representing an ethical toy brand submitted an inquiry, providing a Dropbox link supposedly containing campaign assets. The project brief inside the folder was an executable .exe file. When challenged on why a document required an execution file, the sender apologized and replaced it with Word and PDF documents. This is a common social engineering tactic where the attacker provides files containing embedded malicious scripts or macro-enabled loaders.

Small agencies often wonder what hackers stand to gain by targeting boutique firms rather than multi-national corporations. The answer lies in your access levels.

By compromising a single agency login, cybercriminals gain immediate access to an entire My Client Center (MCC) or Google Ads Manager account. They do not want your agency’s bank details; they want the pre-approved ad accounts, high spending limits, and historical credit lines belonging to your clients.

Once inside a compromised manager account, attackers set up high-budget malicious campaigns—often promoting fraudulent cryptocurrency schemes, phishing portals, or tech support scams. Because these ads run out of an established, trusted agency ecosystem, they routinely bypass Google’s initial automated security filters. The real-world outcome is devastating: client budgets are drained overnight, ad accounts are permanently suspended, and recovery times through official support channels can take weeks.

The secondary objective is data exfiltration via infostealer malware, including variants like Lumma Stealer and PureHVNC. These payloads execute silently, scraping browser cookies, saved passwords, and local security keys.

At BOND Digital, our view on operational security is rooted in simple, practical vigilance. The most dangerous security vulnerability isn’t software; it's a marketer's natural excitement when a high-value, highly relevant opportunity lands in their inbox. These attacks succeed because the briefs look real, the budgets are compelling, and our instinct is to move fast to win the business.

Consider this a strong warning to other agencies: do not let an exciting pipeline opportunity blind you to cybersecurity basics. Implement strict protocols for handling external links, verify client domains before accepting account invitations, and ensure your team never runs unverified attachments. Protect your access controls with the same diligence you apply to managing your client performance.

Next
Next

Holding Big Tech to Account - A Generation too Late