Malicious ads target Semrush users to steal Google account credentials
Cyber crooks are exploiting users’ interest in Semrush, a popular SEO, advertising, and market research SaaS platform, to steal their Google account credentials.
The fraudulent campaign
Malwarebytes researchers have spotted a campaign consisting of a slew of malicious ads shown by Googe Search when users look for Semrush.
“Each ad uses a unique domain name which does a redirect to more static domains dedicated to the fake Semrush and Google account login pages,” MalwareBytes researcher Jérôme Segura explained.
On those spoofed phishing pages, the only login option available to potential victims is with their Google account: the fields for logging in with Semrush account credentials are disabled.
A spoofed Semrush login page (Source: Malwarebytes)
Why use Semrush as a lure? Why go after Google account credentials?
“With 40% of Fortune 500 companies and 117,000 paying customers relying on Semrush, the platform presents a highly attractive target for online criminals,” Elie Berreby noted.
Gaining access to those customers’ Google accounts allows attackers to place additional malicious Google ads, but also to gain insight into companies’ financial performance.
“Google Analytics (GA) and Google Search Console (GSC) contain critical and confidential information for businesses, revealing detailed perspectives on website performance, user behavioral patterns, and strategic business focuses,” Berreby pointed out.
A compromise of both Google and Semrush accounts belonging to companies provides attackers with a lot of information that could be leveraged to impersonate an individual or business.
“Posing as the business, a threat actor could deceive vendors or partners into sending payments to fraudulent accounts, exploiting the trust tied to the business’s identity,” Berreby says.
The personal and partial financial info stored in Semrush accounts can be used by attackers to impersonate the company and to trick users into sharing full credit card details.
While the malicious Semrush domains used in this campaign have already been abandoned, others can easily be stood up.