Many employees at companies access various online services via their web browsers daily. Some can recall the addresses of frequently visited websites and directly type them in, while others—likely most—opt to save bookmarks. Additionally, there are individuals who enter the service name into a search engine every time and click on the first result that appears. These types of users seem to be the target of cybercriminals promoting their fraudulent (phishing) sites through Google Ads. This advertising tactic raises the visibility of these fake pages in search results above that of the legitimate websites.
As per Google’s Ads Safety Report for 2024, the company blocked or removed an astounding 415 million ads last year due to violations of their policies—primarily linked to scams. Furthermore, they also suspended five million advertising accounts responsible for these types of advertisements. This illustrates the immense scale of the issue. Google Ads serves as a highly favored tool for cybercriminals to disseminate their harmful content. While a large number of these schemes target regular home users, there have been recent reports of scammers also targeting business accounts like those from Semrush or even Google Ads itself.
Fraudulent Semrush websites have appeared. Semrush is a widely used tool that aids in keyword discovery, competitor website analysis, backlink tracking, and more. SEO professionals utilize it globally. To enhance its functionality, Semrush is frequently integrated with Google Analytics and Google Search Console. Those accounts can contain vast amounts of sensitive business information—including revenue reports, marketing strategies, analyses of customer behavior, and much more.
If cybercriminals gain access to a Semrush account, they can exploit the information they uncover to launch further attacks on other employees or simply sell the access in the dark web marketplace.
It’s no surprise that some criminals have initiated a phishing scheme targeting SEO experts. They created a series of websites that closely resemble the Semrush sign-in page. To seem authentic, the scammers used multiple domain names incorporating the name of the company they were impersonating: semrush[.]click, semrush[.]tech, auth.seem-rush[.]com, semrush-pro[.]co, sem-rushh[.]com, and others. They also leverage Google Ads to advertise all of these fraudulent sites.
The sole method of distinguishing the fake pages from the legitimate one is to verify the website address. Like the actual Semrush sign-in page, the counterfeit pages offer two main ways to log in: using a Google account or by manually entering your Semrush username and password. However, the criminals have cleverly disabled the fields meant for inputting Semrush credentials; thus, the victims are left with no option but to attempt signing in via Google.
A new fraudulent page then appears that convincingly mimics the Google account login page. Naturally, any Google account credentials entered there are sent directly to the scammers.
An even more fascinating twist on this attack model involved cybercriminals using Google Ads to promote fake versions of… Google Ads! The mechanism is quite similar to how they target Semrush credentials—albeit with one notable difference: the website address displayed in the fake Google Ads is identical to the actual one (ads.google[.]com)!
The scammers achieved this by utilizing another Google service: Google Sites, a platform for creating websites. According to Google Ads guidelines, an advertisement can show the address of any page as long as the domain matches that of the actual website to which the ad leads. Therefore, if the attacker establishes an intermediary website using Google Sites, it will carry a google.com domain name, allowing them to display the ads.google.com address in their advertisement.
Links from this temporary site subsequently redirect to a page that closely resembles the Google Ads sign-in page. If the user fails to notice they have navigated away from the legitimate Google pages and inputs their login information, it will end up in the hands of the cybercriminals.
Leave a Reply