Cyber Criminals Mislead Corporate Workers To Steal Google Credentials

Uploaded on 2025-07-12 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Corporate workers are not new to Google Ads that unintentionally usher them towards malicious replicas of legitimate websites and applications. We saw it back in 2023 with LOBSHOT, and we’re seeing it today with Semrush.

The LOBSHOT infection chain began when someone performed an Internet search for legitimate software, like the remote desktop solution AnyDesk. Google Ads delivered a promoted “AnyDesk” result that was actually a malicious site. Now, malicious Semrush Google ads are reeling victims in.

These attacks are linked to a growing adoption of malvertising. Malware-based threats surged in the first half of 2024, up by 30% compared to the same period in 2023, according to SonicWall’s 2024 Mid-Year Cyber Threat Report. Stealing credentials may seem relatively harmless on the surface, but these threats are often the entry point to fully interactive remote control capabilities.

How Malvertising Works

The LOBSHOT campaign used a hidden virtual network computing (hVNC) component that allowed unobserved access to the victim's software. The malware plugin employed dynamic import resolution to evade security products, revealing each step only when it was doing it. This helped malware hide its capabilities from security tools that scan software before it runs.

Later attacks, such as the Semrush scam, focused on credential theft without deploying such advanced remote access tools. Malicious actors deceived users into visiting counterfeit Semrush login pages that were designed to harvest Google account credentials when users selected the "Log in with Google" option.

The new tactic optimized those fake pages, known as SEO poisoning, to appear high in Google search results for terms like: "Semrush login" or "Semrush analytics". After clicking the ad, users were taken to a phishing site that appeared to be Semrush, but it was using a different top-level domain.

After users entered their password and multi-factor authentication (MFA), they were tricked into granting access via a fake OAuth consent screen. By clicking “Allow,” users hand the attacker an access token allowing them entry without needing credentials or bypassing MFA again.

Many Semrush accounts are integrated with other Google accounts, like Google Analytics and Google Cloud, meaning that these threat actors can access a host of sensitive company data.

Stop Credential Exposure From Turning Into An Attack

Malicious actors will continue to find new ways to capture sensitive data that can be used to extort companies, sell on the dark web or on cybercrime marketplaces, or to inform future attacks. While they work to outsmart the latest threat detection and bypass safety protocols, there’s one way IT teams can keep a pulse on threats and catch them before they strike.

Companies can prevent credential leaks from becoming full account or session takeovers by continuously monitoring the clear, deep, and dark web for exposed company information and login details.

Tracking chatter or mentions of brand, domains, employee emails, or products in malicious contexts helps identify early warning signs that organizations may be targeted or already compromised.

In cases where credentials, cookies, or access tokens have been exposed in dark web forums or illicit communication channels, IT teams must list all the systems, devices, software, or data that may have been compromised or exposed due to the leakage. Simultaneously, they must assess cloud applications, APIs, remote employee devices, and third-party software to ensure no entry from an attacker.

IT teams cannot protect what they do not know is exposed. Dark web monitoring helps expand their visibility, however, employees must also be trained to report signs of unusual behavior immediately. Consumers will more likely fall prey to malicious ads on trusted websites they visit regularly.

Although many ads they see are legitimate, they must be trained to recognize deceptive techniques and check the URL at the top of the web page before clicking every time.

Nick Ascoli is Director of Product Strategy at Flare

Image:

You Might Also Read:

Malvertising Proliferates As Half Of Online Ads Are Now AI Generated:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.