> an attacker who paid for Google Ads for a search term like "BANKNAME login"
I tried out buy Google ads once out of curiosity cause they gave me a free credit. It was crazy how many ridiculous stipulations and guidelines I had to work around before they'd accept my ad.
How are they that strict for me, but seemingly they'll sell to a phishing page that's impersonating a bank and targeting it to people searching for that bank?
Criminals are incentivized to evade detection. And you only get to observe the successful criminals and none of the unsuccessful ones. This makes it appear like the criminals are getting through the filters trivially. What you don't see is the work they are putting in to get a successful phishing ad up there.
Not to excuse failures, but there isn't a "it is easy for them but hard for me" situation.
I once tried to buy a domain which contained the word "Google" from Namecheap, but I was rejected with an error telling me that I needed to contact support and show that my use of the trademark was approved by Google. So instead I went to Google Domains and bought it from them with no issues.
Because the impersonator is probably a lot more sophisticated at this than you or I, and it's likely that 999 impersonators were rejected and this is just the 1/1000 who found a way around it.
The system probably produces a lot of false positives AND negatives.
And even at those failure rates (no matter how anecdotal), economies of scale creep in so a couple billion failures/day still would result in nearly a billion successes per year. The machine never rests and is fueled by creative people from all walks of life from every possible place on earth.
I have an ads account; I don't see them checking I haven't done a switcheroo on the landing page contents. I think I could easily put a JS redirect on the landing page, if nothing else worked.
They are reasonably strict about the keywords though -- I often go into a "verifying" stage when setting up the ads.
I tried out buy Google ads once out of curiosity cause they gave me a free credit. It was crazy how many ridiculous stipulations and guidelines I had to work around before they'd accept my ad.
How are they that strict for me, but seemingly they'll sell to a phishing page that's impersonating a bank and targeting it to people searching for that bank?