Cyber Criminals Mislead Corporate Workers To Steal Google Credentials

Uploaded on 2025-07-12 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Corporate workers are not new to Google Ads that unintentionally usher them towards malicious replicas of legitimate websites and applications. We saw it back in 2023 with LOBSHOT, and we’re seeing it today with Semrush.

The LOBSHOT infection chain began when someone performed an Internet search for legitimate software, like the remote desktop solution AnyDesk. Google Ads delivered a promoted “AnyDesk” result that was actually a malicious site. Now, malicious Semrush Google ads are reeling victims in.

These attacks are linked to a growing adoption of malvertising. Malware-based threats surged in the first half of 2024, up by 30% compared to the same period in 2023, according to SonicWall’s 2024 Mid-Year Cyber Threat Report. Stealing credentials may seem relatively harmless on the surface, but these threats are often the entry point to fully interactive remote control capabilities. 

How Malvertising Works

The LOBSHOT campaign used a hidden virtual network computing (hVNC) component that allowed unobserved access to the victim's software. The malware plugin employed dynamic import resolution to evade security products, revealing each step only when it was doing it. This helped malware hide its capabilities from security tools that scan software before it runs.

Later attacks, such as the Semrush scam, focused on credential theft without deploying such advanced remote access tools. Malicious actors deceived users into visiting counterfeit Semrush login pages that were designed to harvest Google account credentials when users selected the "Log in with Google" option.

The new tactic optimized those fake pages, known as SEO poisoning, to appear high in Google search results for terms like: "Semrush login" or "Semrush analytics". After clicking the ad, users were taken to a phishing site that appeared to be Semrush, but it was using a different top-level domain.

After users entered their password and multi-factor authentication (MFA), they were tricked into granting access via a fake OAuth consent screen. By clicking “Allow,” users hand the attacker an access token allowing them entry without needing credentials or bypassing MFA again.

Many Semrush accounts are integrated with other Google accounts, like Google Analytics and Google Cloud, meaning that these threat actors can access a host of sensitive company data.

Stop Credential Exposure From Turning Into An Attack

Malicious actors will continue to find new ways to capture sensitive data that can be used to extort companies, sell on the dark web or on cybercrime marketplaces, or to inform future attacks. While they work to outsmart the latest threat detection and bypass safety protocols, there’s one way IT teams can keep a pulse on threats and catch them before they strike. 

Companies can prevent credential leaks from becoming full account or session takeovers by continuously monitoring the clear, deep, and dark web for exposed company information and login details.

Tracking chatter or mentions of brand, domains, employee emails, or products in malicious contexts helps identify early warning signs that organizations may be targeted or already compromised.

In cases where credentials, cookies, or access tokens have been exposed in dark web forums or illicit communication channels, IT teams must list all the systems, devices, software, or data that may have been compromised or exposed due to the leakage. Simultaneously, they must assess cloud applications, APIs, remote employee devices, and third-party software to ensure no entry from an attacker.

IT teams cannot protect what they do not know is exposed. Dark web monitoring helps expand their visibility, however, employees must also be trained to report signs of unusual behavior immediately. Consumers will more likely fall prey to malicious ads on trusted websites they visit regularly.

Although many ads they see are legitimate, they must be trained to recognize deceptive techniques and check the URL at the top of the web page before clicking every time. 

Nick Ascoli is Director of Product Strategy at Flare

Image: 

You Might Also Read: 

Malvertising Proliferates As Half Of Online Ads Are Now AI Generated:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« UK Cyber Security Sectoral Analysis 2025
The Dark Web - Its Origins & Current Use [extract] »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Secunet Security Networks

Secunet Security Networks

Secunet is a leading cyber security company offering a combination of consultancy and products, delivering the highest level of security for data, applications and digital identities.

Omerta

Omerta

Omerta is a global security technology and services company. We advise, consult, design, build, mitigate, protect, manage, provide and train to protect from increasing cyber threats.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference is a non-profit, annual, information security conference located in Halifax, Nova Scotia, Canada.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

Blackwall

Blackwall

Blackwall (formerly BotGuard) is a security infrastructure company focused on protecting web ecosystems from automated threats, while optimizing performance for hosting environments.

Seknox

Seknox

Seknox TRASA™ protects your business from insider threats.

AgileBlue (Agile1)

AgileBlue (Agile1)

AgileBlue (formerly Agile1) is a managed breach detection company with an Autonomous SOC-as-a-Service for 24×7 monitoring, detection and guided response.

SAM Seamless Network

SAM Seamless Network

SAM Seamless Network is a cybersecurity technology platform that protects the connected home, by tackling cyber security threats at the source.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Presidio Identity

Presidio Identity

Presidio Identity offers a digital-native approach that brings security, privacy, and simplicity to user authentication and digital interactions.

Sublime Security

Sublime Security

Sublime is an adaptive email security platform that combines best-in-class effectiveness with unprecedented visibility and control.

Hanwha Systems

Hanwha Systems

Hanwha Systems is a global company based in South Korea providing defense electronics and smart ICT solutions.

CYNC Secure

CYNC Secure

CYNC boosts cybersecurity remediation by consolidating fragmented data and optimizing operational processes.