Scam Alert: Fake Google Ad for coinmarketcap.com (very well done)

[12000suns]

What happened::
There is high quality forged Google ad, impersonating coinmarketcap.com (see screenshot below)

After inspection we are unable to determine the mechanism but the following was observed:

URL is exactly the same. No homoglyphs, no mixed alphabets, it hashes the same with the legit string.
The excerpt from source:

Code:

<a style="display:none" href="/aclk?sa=L&amp;ai=DChcSEwi8oK7ejsLZAhVZibIKHQHCBHAYABABGgJscg&amp;sig=AOD64_0ZJhvOZ-0Nf2kK_QgC2W8ewzFjKw&amp;q=&amp;ved=0ahUKEwi64KjejsLZAhVFhiwKHQCbBLUQ0QwIKA&amp;adurl=" id="n1s0p2c0"></a>
<a class="_Jwu r-ieTJdWpaBQ8I" href="https://coinmarketcap.com/" id="vn1s0p2c0" onmousedown="return google.arwt(this)" ontouchstart="return google.arwt(this)" data-preconnect-urls="http://monkey-tracker.info/" jsl="$t t-zxXzjt1d4B0;$x 0;">Cryptocurrency Market Capitalizations | CoinMarketCap‎</a>

 
shows replaced data-preconnect-urls argument which is used for redirection to whatever the attacker needs.
Currently it redirects to https://thebitcoincode.com/, but as you can imagine same technique can be used in numerous phishing attempts.

If anyone has explanation how they did it, please submit a bug report @ Google
 
Disclaimer:
Reproduced on different machines with different browsers.
Unable to reproduce with another google account.

Reference screenshot:
https://imgur.com/a/t63y0

Additional Notes:
The domain is privacy protected and is linked to vps hosted in Moscow.

[Coinky]

I don't think this is a scam or phishing attempt.This is link cloaking generally used by affiliate marketers.Generally the landing page link is originally pointed to the real site,but after the approval of ad,it will be redirected to their own page

This has to do with Google banning crypto ads ,may be

[timerland]

I don't think this is a scam or phishing attempt.This is link cloaking generally used by affiliate marketers.Generally the landing page link is originally pointed to the real site,but after the approval of ad,it will be redirected to their own page

This has to do with Google banning crypto ads ,may be

Well, isn't that the same as phishing?

You're getting someone who wants to go to one site to another. Isn't that the definition of phishing?

I have no idea how they do it, I don't have any experience in this field.

But what I can say is that thebitcoincode is definitely not legit and if there is a way to make thousands of dollars in a day, then everyone would be doing it and nobody would be bothering to do anything else on this world. Whoever implemented this phishing ad is obviously wanting to make affiliate earnings off this ripoff/scam.