How can someone spoof the page/inject ads if the site is served over https?

They would need to have compromised one of the root certificates on your machine to not give you a giant security warning.

In modern browsers there’s not even a button to bypass them (although I know I chrome you can type “this is unsafe” to a hidden input in the error page and it will let you bypass it temporarily).