Security researchers have warned of a new malvertising campaign that uses fake Semrush ads to harvest victims’ Google account logins and data.
The group behind the campaign use malicious ads for SEO firm Semrush to lure their victims. After clicking through, a user would be greeted by a fraudulent login page for Semrush which only displays the “Log in with Google” option.
Semrush accounts are often linked with high-value Google accounts, Malwarebytes researchers revealed in a blog post explaining the campaign.
As victims are most likely both Semrush and Google users, the threat actors could use their access to compromise data in both linked accounts.
Read more on malvertising: NCSC Publishes Tips to Tackle Malvertising Threat
“Google Analytics (GA) and Google Search Console (GSC) contain critical and confidential information for businesses, revealing detailed perspectives on website performance, user behavioral patterns, and strategic business focuses,” Malwarebytes explained.
“There is additional information stored in a Semrush account (name, phone, business name, address, email and the last four digits of a Visa card) that a threat actor could leverage to impersonate an individual or business. Posing as the business, a threat actor could deceive vendors or partners into sending payments to fraudulent accounts, exploiting the trust tied to the business’s identity.”
By using stolen billing information and partial card details, a fraudster could mount an even more damaging attack, the security vendor added.
“Someone posing as Semrush support, referencing an upcoming payment or the billing update process, could trick the victim into providing full credit card details,” it warned.
The vendor claimed that Semrush boasts 117,000 customers including 40% of Fortune 500 companies, making it a popular target for scammers looking to hijack the brand in malicious Google Search ads.
“As Google Search is a central part of the SEO and ad ecosystems, individuals and businesses who inadvertently click on a malicious ad are at a major risk of losing extremely sensitive data and feel the impact of fraud on many levels,” it concluded.
“This should be a wakeup call to take steps to prevent such exposure by enforcing guard rails to anyone who manages an account for themselves or a company.”
Image credit: T. Schneider / Shutterstock.com