Phishing through Google Ads: attacks on SEO and marketing

Phishing through Google Ads: attacks on SEO and marketing

/in

Many company employees use various online services through their web browsers every day. Some of them remember website addresses they use frequently and type them in directly, while others – probably most – save bookmarks. Then there are folks who type the service name into a search engine every time and just click the first link that comes up. These are apparently the kind of users that cybercriminals target when they promote their fake (phishing) sites through Google Ads. This promotion makes the fake pages show up higher in search results than the respective authentic websites.

According to Google’s Ads Safety Report, 2024, Google blocked or removed a whopping 415 million ads last year for breaking their rules – mostly  by running scams. The company also blocked five million advertising accounts that were placing these kinds of ads. This gives you an idea of the sheer scale of the problem. Google Ads is an incredibly popular tool for cybercriminals to spread their malicious content. Although a significant proportion of these schemes target regular home users, there’ve been stories lately about scammers going after Semrush or even Google Ads business accounts.

Fake Semrush pages

Semrush is a popular tool that helps you find keywords, analyze your competitors’ websites, track backlinks, and so on. It’s used by SEO pros all over the world. For better performance, Semrush is often integrated with Google Analytics and Google Search Console. Accounts in those services can hold a ton of private business information – such as revenue reports, marketing strategies, analysis of customer behavior, and a lot more.

If cybercriminals can gain access to a Semrush account, they can use that information they find there to launch more attacks on other employees, or just sell the access on the dark web.

It’s small wonder that some crooks have launched a phishing campaign that targets SEO professionals. They set up a series of websites whose design closely mimics the Semrush sign-in page. To appear legitimate, the scammers employed multiple domain names that included the name of the company they were imitating: semrush[.]click, semrush[.]tech, auth.seem-rush[.]com, semrush-pro[.]co, sem-rushh[.]com, and so on. And they use Google Ads to promote all these fake sites.

The only way to tell the fake pages from the real one is by checking the website address. Just like the real Semrush sign-in page, the fake pages show two main ways to authenticate: using a Google account, or by typing in your Semrush username and password. But the criminals have cleverly blocked the fields where you would type in your Semrush credentials; therefore, the victims don’t have any other choice but to try signing in with Google.

Another fake page then opens that does a no-less-convincing job imitating the Google account sign-in page. Of course, any Google account credentials entered there go straight to the scammers.

Fake Google Ads in Google Ads

An even more intriguing twist on the same type of attack saw the cybercriminals leveraging Google Ads to promote fake versions of… Google Ads! The way it works is quite similar to how they go after Semrush credentials – but with one really interesting nuance: the website address shown in the fake Google Ads ad is exactly the same as the real one (ads.google[.]com)!

The scammers have been able to pull this off by using another Google service: Google Sites, a website-building platform. According to the Google Ads rules, an ad can show the address of any page as long as its domain matches the domain of the actual website the ad redirects to. So, if the attacker creates an intermediate website with Google Sites, it has a google.com domain name, which means they’re allowed to display the ads.google.com address in their ad.

Links from this temporary site then redirect to a page that looks just like the Google Ads sign-in. If the user fails to notice they’ve left the real Google pages and types in their login information, it lands right in the hands of the cybercriminals.

How to keep your company safe from phishing

The only way to comprehensively solve the problem of malicious websites being promoted through Google Ads is for Google itself to step up. To their credit, in both the cases described above (the fake Google Ads pages and Semrush sites), the company did take action quickly by removing them from the top of the search results.

To keep your organization safe from these kinds of phishing attacks, we recommend doing the following:

  • Remind your employees that it’s best to bookmark websites they visit often instead of relying on search engines every time.
  • Train your employees to spot potential threats. This is something you can easily and cost-effectively automate with an e-learning platform like the Kaspersky Automated Security Awareness Platform.
  • Make sure to use multi-factor authentication for all services that support it. For Google accounts, it’s best to use a passkey.
  • Install a robust security solution on all company devices. It’ll warn you about dangers and stop you from visiting suspicious websites.

Kaspersky official blog – ​Read More