A brand new phishing marketing campaign is focusing on web optimization professionals with malicious Semrush Google Adverts that intention to steal their Google account credentials.
Malwarebytes researcher Jerome Segura and web optimization strategist Elie Berreby imagine that the risk actor is after Google Adverts accounts that will allow them to create new malvertising campaigns.
This kind of “cascading fraud” has been gaining traction not too long ago, as Malwarebytes uncovered in January an analogous operation the place faux Google Adverts hosted on Google Websites focused Google Adverts accounts.
“We imagine the criminals behind it possible regrouped and switched to a much less direct method, but one that may ship simply as a lot,” explains Malwarebytes.
On this newest case, the cybercriminals abuse the Semrush model, a preferred software-as-a-service (SaaS) platform used for web optimization, internet marketing, content material advertising, and aggressive analysis.
.jpg)
Supply: Malwarebytes
Semrush is broadly utilized by digital entrepreneurs, advertisers, e-commerce companies, and enormous enterprises, together with 40% of Fortune 500 firms.
As a result of Semrush integrates with Google Analytics and Google Search Console, prospects typically hyperlink helpful Google accounts containing delicate enterprise knowledge—like income metrics, advertising methods, and buyer habits, all engaging targets for cybercriminals.
Berreby advised BleepingComputer that behind the marketing campaign is a Brazilian risk group who focuses on focusing on SaaS platforms and now could be using a very artful approach.
“The scammers’ final purpose are Google accounts. However their second most suitable choice are SaaS credentials,” defined Berreby.
“If an enterprise Google account was linked previously, there is a chance of exfiltrating delicate Google knowledge with out compromising the Google account itself.”
Semrush marketing campaign
Within the newest marketing campaign, cybercriminals use Google Adverts to advertise malicious Semrush outcomes when customers enter associated search phrases.
Clicking the advert takes customers to a phishing website that appears like Semrush and makes use of the “semrush” domains however with a distinct top-level area than the legit firm (semrush.com).
Some malicious domains used within the marketing campaign are “semrush[.]click on,” “semrush[.]tech,” auth.seem-rush[.]com,” “semrush-pro[.]co,” and “sem-rushh[.]com.”
Most of those domains stay on-line, however not all load the phishing web page, suggesting that the risk actor is filtering their targets primarily based on geographical location and different standards.
.jpg)
Supply: Malwarebytes
The faux login web page mimics Semrush’s interface however doesn’t provide the usual sign-in choices, forcing guests to log in by way of “Log in with Google” solely.
When customers enter their Google login particulars, the knowledge is shipped on to the attackers.
Since many Semrush accounts are built-in with Google Analytics (GA) and Google Search Console (GSC), the risk actors might achieve entry to delicate enterprise knowledge with out compromising Semrush itself.
Supply: Malwarebytes
Concerning the persistence of malicious Google Adverts and the tech large’s failure to deal with this downside decisively, Berreby defined that it’s going to take massive choices on the increased degree to cease this.
“I’ve had a number of chats with Google representatives previously years concerning the cybersecurity dangers of utilizing Google Adverts for malicious functions,” Elie Berreby mentioned.
“The reply from these well-meaning and hard-working folks was at all times the identical: ‘I am only a cog in an enormous machine’
“The issue is the folks we speak with at Google can’t deal with the underlying points as a result of they don’t seem to be decision-makers. They’re diligently doing their greatest at a person degree, however that is not sufficient, and admittedly, that is not acceptable for a large tech firm like Google that makes use of essentially the most superior machine studying options.”
Nonetheless, the web optimization knowledgeable counseled Google for responding rapidly to their studies and taking down the malicious advertisements related to the most recent marketing campaign.
To keep away from getting trapped by Google Adverts scams, keep away from clicking on promoted/sponsored outcomes, bookmark pages you entry incessantly to go to them straight, and at all times double-check that you simply landed on the official area earlier than logging in.
Utilizing a password supervisor to fill out login bins may also assist as a result of the information will likely be typed in on the domains the credentials have been saved for.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend towards them.