Cyber Criminals Mislead Corporate Workers To Steal Google Credentials

Corporate workers are not new to Google Ads that unintentionally usher them towards malicious replicas of legitimate websites and applications. We saw it back in 2023 with LOBSHOT, and we’re seeing it today with Semrush.

The LOBSHOT infection chain began when someone performed an Internet search for legitimate software, like the remote desktop solution AnyDesk. Google Ads delivered a promoted “AnyDesk” result that was actually a malicious site. Now, malicious Semrush Google ads are reeling victims in.

These attacks are linked to a growing adoption of malvertising. Malware-based threats surged in the first half of 2024, up by 30% compared to the same period in 2023, according to SonicWall’s 2024 Mid-Year Cyber Threat Report. Stealing credentials may seem relatively harmless on the surface, but these threats are often the entry point to fully interactive remote control capabilities. 

How Malvertising Works

The LOBSHOT campaign used a hidden virtual network computing (hVNC) component that allowed unobserved access to the victim's software. The malware plugin employed dynamic import resolution to evade security products, revealing each step only when it was doing it. This helped malware hide its capabilities from security tools that scan software before it runs.

Later attacks, such as the Semrush scam, focused on credential theft without deploying such advanced remote access tools. Malicious actors deceived users into visiting counterfeit Semrush login pages that were designed to harvest Google account credentials when users selected the "Log in with Google" option.

The new tactic optimized those fake pages, known as SEO poisoning, to appear high in Google search results for terms like: "Semrush login" or "Semrush analytics". After clicking the ad, users were taken to a phishing site that appeared to be Semrush, but it was using a different top-level domain.

After users entered their password and multi-factor authentication (MFA), they were tricked into granting access via a fake OAuth consent screen. By clicking “Allow,” users hand the attacker an access token allowing them entry without needing credentials or bypassing MFA again.

Many Semrush accounts are integrated with other Google accounts, like Google Analytics and Google Cloud, meaning that these threat actors can access a host of sensitive company data.

Stop Credential Exposure From Turning Into An Attack

Malicious actors will continue to find new ways to capture sensitive data that can be used to extort companies, sell on the dark web or on cybercrime marketplaces, or to inform future attacks. While they work to outsmart the latest threat detection and bypass safety protocols, there’s one way IT teams can keep a pulse on threats and catch them before they strike. 

Companies can prevent credential leaks from becoming full account or session takeovers by continuously monitoring the clear, deep, and dark web for exposed company information and login details.

Tracking chatter or mentions of brand, domains, employee emails, or products in malicious contexts helps identify early warning signs that organizations may be targeted or already compromised.

In cases where credentials, cookies, or access tokens have been exposed in dark web forums or illicit communication channels, IT teams must list all the systems, devices, software, or data that may have been compromised or exposed due to the leakage. Simultaneously, they must assess cloud applications, APIs, remote employee devices, and third-party software to ensure no entry from an attacker.

IT teams cannot protect what they do not know is exposed. Dark web monitoring helps expand their visibility, however, employees must also be trained to report signs of unusual behavior immediately. Consumers will more likely fall prey to malicious ads on trusted websites they visit regularly.

Although many ads they see are legitimate, they must be trained to recognize deceptive techniques and check the URL at the top of the web page before clicking every time. 

Nick Ascoli is Director of Product Strategy at Flare

Image: 

You Might Also Read: 

Malvertising Proliferates As Half Of Online Ads Are Now AI Generated:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« UK Cyber Security Sectoral Analysis 2025
The Dark Web - Its Origins & Current Use [extract] »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Mimecast

Mimecast

Mimecast delivers cloud-based email management for Microsoft Exchange and Microsoft Office 365 including archiving, continuity and security.

Security Onion Solutions

Security Onion Solutions

Security Onion Solutions is the creator and maintainer of Security Onion, a free and open platform for threat hunting, network security monitoring, and log management.

CTR Secure Services

CTR Secure Services

CTR Secure Services provides a broad range of security consulting services from asset protection to cyber security.

CybergymIEC

CybergymIEC

CybergymIEC is a global leader in cyber defense solutions and training services.

Optiv

Optiv

Optiv is a market-leading provider of end-to-end cyber security solutions. We help clients plan, build and run successful cyber security programs that achieve business objectives.

Subgraph

Subgraph

Subgraph is an open source security company, committed to making secure and usable open source computing available to everyone.

Terranova Security

Terranova Security

Terranova is dedicated to providing information security awareness programs customized to your internal policies and procedures.

HudsonCyber

HudsonCyber

HudsonCyber, part of HudsonAnalytix, provides leading cyber risk management services for the global maritime transportation industry.

Pixm

Pixm

Pixm’s computer vision based approach offers a truly unique and effective means to protect organizations from web-based phishing attacks.

Altospam

Altospam

Altospam is a full service corporate email protection, integrating multiple security levels for your emails.

Stratascale

Stratascale

Stratascale is a consultant, systems integrator, and technology advisor with expertise in Automation, Cloud Ascension, Cybersecurity, Data Intelligence, and Digital Experience solutions.

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.

Centum Digital

Centum Digital

Centum Digital provide services, products and solutions specialized in communications engineering, control and signal intelligence.

Nexsan

Nexsan

Nexsan offers versatile and robust data storage solutions tailored to adapt seamlessly across a diverse range of sectors, ensuring reliable performance for critical data management.

403Tech Inc.

403Tech Inc.

403Tech is a Calgary based IT Solutions Provider, specializing in small & medium business.

DeepStrike

DeepStrike

DeepStrike is a leading cybersecurity firm specializing in human-powered, high-quality penetration testing designed to protect businesses from evolving cyber threats.