Cyber Criminals Mislead Corporate Workers To Steal Google Credentials

Corporate workers are not new to Google Ads that unintentionally usher them towards malicious replicas of legitimate websites and applications. We saw it back in 2023 with LOBSHOT, and we’re seeing it today with Semrush.

The LOBSHOT infection chain began when someone performed an Internet search for legitimate software, like the remote desktop solution AnyDesk. Google Ads delivered a promoted “AnyDesk” result that was actually a malicious site. Now, malicious Semrush Google ads are reeling victims in.

These attacks are linked to a growing adoption of malvertising. Malware-based threats surged in the first half of 2024, up by 30% compared to the same period in 2023, according to SonicWall’s 2024 Mid-Year Cyber Threat Report. Stealing credentials may seem relatively harmless on the surface, but these threats are often the entry point to fully interactive remote control capabilities. 

How Malvertising Works

The LOBSHOT campaign used a hidden virtual network computing (hVNC) component that allowed unobserved access to the victim's software. The malware plugin employed dynamic import resolution to evade security products, revealing each step only when it was doing it. This helped malware hide its capabilities from security tools that scan software before it runs.

Later attacks, such as the Semrush scam, focused on credential theft without deploying such advanced remote access tools. Malicious actors deceived users into visiting counterfeit Semrush login pages that were designed to harvest Google account credentials when users selected the "Log in with Google" option.

The new tactic optimized those fake pages, known as SEO poisoning, to appear high in Google search results for terms like: "Semrush login" or "Semrush analytics". After clicking the ad, users were taken to a phishing site that appeared to be Semrush, but it was using a different top-level domain.

After users entered their password and multi-factor authentication (MFA), they were tricked into granting access via a fake OAuth consent screen. By clicking “Allow,” users hand the attacker an access token allowing them entry without needing credentials or bypassing MFA again.

Many Semrush accounts are integrated with other Google accounts, like Google Analytics and Google Cloud, meaning that these threat actors can access a host of sensitive company data.

Stop Credential Exposure From Turning Into An Attack

Malicious actors will continue to find new ways to capture sensitive data that can be used to extort companies, sell on the dark web or on cybercrime marketplaces, or to inform future attacks. While they work to outsmart the latest threat detection and bypass safety protocols, there’s one way IT teams can keep a pulse on threats and catch them before they strike. 

Companies can prevent credential leaks from becoming full account or session takeovers by continuously monitoring the clear, deep, and dark web for exposed company information and login details.

Tracking chatter or mentions of brand, domains, employee emails, or products in malicious contexts helps identify early warning signs that organizations may be targeted or already compromised.

In cases where credentials, cookies, or access tokens have been exposed in dark web forums or illicit communication channels, IT teams must list all the systems, devices, software, or data that may have been compromised or exposed due to the leakage. Simultaneously, they must assess cloud applications, APIs, remote employee devices, and third-party software to ensure no entry from an attacker.

IT teams cannot protect what they do not know is exposed. Dark web monitoring helps expand their visibility, however, employees must also be trained to report signs of unusual behavior immediately. Consumers will more likely fall prey to malicious ads on trusted websites they visit regularly.

Although many ads they see are legitimate, they must be trained to recognize deceptive techniques and check the URL at the top of the web page before clicking every time. 

Nick Ascoli is Director of Product Strategy at Flare

Image: 

You Might Also Read: 

Malvertising Proliferates As Half Of Online Ads Are Now AI Generated:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« UK Cyber Security Sectoral Analysis 2025
The Dark Web - Its Origins & Current Use [extract] »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

TrustArc

TrustArc

TrustArc provide privacy compliance and risk management with integrated technology, consulting and TRUSTe certification solutions – addressing all phases of privacy program management.

ReversingLabs

ReversingLabs

ReversingLabs develops cyber threat detection and mitigation tools that address the the latest directed attacks, advanced persistent threats and polymorphic malware.

Wizlynx Group

Wizlynx Group

Wizlynx services cover the entire risk management lifecycle from security assessments and compliance to the implementation of security solutions and provision of Managed Security Services.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

DataProtect

DataProtect

DataProtect is a specialized information security company providing consultancy, information management, integration and training services.

Balbix

Balbix

Balbix BreachControl™ is the industry’s first system to leverage specialized AI to provide comprehensive and continuous predictive assessment of breach risk.

TAC Security (TAC Infosec)

TAC Security (TAC Infosec)

TAC Security (aka TAC Infosec) is a leading and trusted cyber security consulting partner that specializes in securing the IT infrastructure and assets of enterprises.

Netacea

Netacea

Netacea provides a revolutionary bot management solution that protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

MIS Solutions

MIS Solutions

MIS Solutions is a managed cloud and IT security partner making technology work for you.

Ingenics Digital

Ingenics Digital

Ingenics Digital is a recognized initiator and leading service provider in the areas of software development and embedded systems.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.

Claratti

Claratti

Clarrati are a team of innovators. Industry leaders in the cloud computing, remote working, and work-from-home space. We partner with you to empower your business for the future.