A novel phishing campaign is targeting SEO experts by utilizing counterfeit Semrush Google Ads crafted with the aim of capturing Google login information. Cybercriminals are leveraging these advertisements in order to gain access to valuable Google Ads and analytics accounts. These could then be used to create further malvertising campaigns.

The attackers redirect individuals to fraudulent websites that replicate Semrush’s login interface, employing modified domain names like “semrush[.]click,” “semrush[.]tech,” and “semrush-pro[.]co.” On these pages, users are forced to “Log in with Google”, as the standard sign-in fields have been disabled.

When individuals submit their Google login credentials, this information is sent directly to the malicious actors, allowing them entry to associated Google Ads, Google Analytics, and Google Search Console accounts.

According to Elie Berreby, an SEO strategist, these perpetrators are believed to be affiliated with a Brazilian threat group who are known for targeting Software as a Service (SaaS) platforms. Even though their main objective is to take over Google accounts, they also seek to obtain SaaS credentials and confidential business information.

Semrush is utilized by numerous digital marketers, online retailers, and Fortune 500 firms, often linking to Google accounts that hold crucial business information such as revenue statistics and customer insights.

This attack is an example of “cascading fraud,” previously observed in operations using counterfeit Google Ads. Experts suspect that the perpetrators of this scam have regrouped to deliver this more subtle Semrush phishing campaign.

Taking into account that Google Ads are increasingly misused for harmful purposes, users are encouraged to refrain from clicking on ads, verify URLs before logging in, and utilize trustworthy password managers.