Malicious Actors Mislead Corporate Workers To Steal Google Credentials

Uploaded on 2025-07-12 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Corporate workers are not new to Google Ads that unintentionally usher them towards malicious replicas of legitimate websites and applications. We saw it back in 2023 with LOBSHOT, and we’re seeing it today with Semrush.

The LOBSHOT infection chain began when someone performed an Internet search for legitimate software, like the remote desktop solution AnyDesk. Google Ads delivered a promoted “AnyDesk” result that was actually a malicious site. Now, malicious Semrush Google ads are reeling victims in.

These attacks are linked to a growing adoption of malvertising. Malware-based threats surged in the first half of 2024, up by 30% compared to the same period in 2023, according to SonicWall’s 2024 Mid-Year Cyber Threat Report. Stealing credentials may seem relatively harmless on the surface, but these threats are often the entry point to fully interactive remote control capabilities. 

How Malvertising Works

The LOBSHOT campaign used a hidden virtual network computing (hVNC) component that allowed unobserved access to the victim's software. The malware plugin employed dynamic import resolution to evade security products, revealing each step only when it was doing it. This helped malware hide its capabilities from security tools that scan software before it runs.

Later attacks, such as the Semrush scam, focused on credential theft without deploying such advanced remote access tools. Malicious actors deceived users into visiting counterfeit Semrush login pages that were designed to harvest Google account credentials when users selected the "Log in with Google" option.

The new tactic optimized those fake pages, known as SEO poisoning, to appear high in Google search results for terms like: "Semrush login" or "Semrush analytics". After clicking the ad, users were taken to a phishing site that appeared to be Semrush, but it was using a different top-level domain.

After users entered their password and multi-factor authentication (MFA), they were tricked into granting access via a fake OAuth consent screen. By clicking “Allow,” users hand the attacker an access token allowing them entry without needing credentials or bypassing MFA again.

Many Semrush accounts are integrated with other Google accounts, like Google Analytics and Google Cloud, meaning that these threat actors can access a host of sensitive company data.

Stop Credential Exposure From Turning Into An Attack

Malicious actors will continue to find new ways to capture sensitive data that can be used to extort companies, sell on the dark web or on cybercrime marketplaces, or to inform future attacks. While they work to outsmart the latest threat detection and bypass safety protocols, there’s one way IT teams can keep a pulse on threats and catch them before they strike. 

Companies can prevent credential leaks from becoming full account or session takeovers by continuously monitoring the clear, deep, and dark web for exposed company information and login details.

Tracking chatter or mentions of brand, domains, employee emails, or products in malicious contexts helps identify early warning signs that organizations may be targeted or already compromised.

In cases where credentials, cookies, or access tokens have been exposed in dark web forums or illicit communication channels, IT teams must list all the systems, devices, software, or data that may have been compromised or exposed due to the leakage. Simultaneously, they must assess cloud applications, APIs, remote employee devices, and third-party software to ensure no entry from an attacker.

IT teams cannot protect what they do not know is exposed. Dark web monitoring helps expand their visibility, however, employees must also be trained to report signs of unusual behavior immediately. Consumers will more likely fall prey to malicious ads on trusted websites they visit regularly.

Although many ads they see are legitimate, they must be trained to recognize deceptive techniques and check the URL at the top of the web page before clicking every time. 

Nick Ascoli is Director of Product Strategy at Flare

Image: 

You Might Also Read: 

Malvertising Proliferates As Half Of Online Ads Are Now AI Generated:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« UK Cyber Security Sectoral Analysis 2025
The Dark Web - Its Origins & Current Use [extract] »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

KFSensor

KFSensor

KFSensor is an advanced 'honeypot' intrusion and insider threat detection system for Windows networks.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

Capula

Capula

Capula is a leading system integration specialist for control, automation and operational IT systems across all applications and industry sectors.

National Forensic Sciences University (NFSU) - India

National Forensic Sciences University (NFSU) - India

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

Zen360Consult

Zen360Consult

Zen360Consult provides Advisory and Training services in the field of Cyber Resilience, which includes Cyber Security /ISMS and Business Continuity.

Hut Six Security

Hut Six Security

Train, test and track your Information Security culture through information security awareness training and customised phishing simulation campaigns.

Avertium

Avertium

Avertium is the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Redpoint Security

Redpoint Security

Redpoint Security is an application security consulting firm that is focused on all aspects of code security.

FortiGuard Labs

FortiGuard Labs

FortiGuard Labs is the threat intelligence and research organization at Fortinet. Its mission is to provide Fortinet customers with the industry’s best threat intelligence.

ThreatDefence

ThreatDefence

ThreatDefence provides innovative SIEM, SOC-as-a-Service, and proactive cyber defence solutions to MSP’s and Enterprises.

GeoComply

GeoComply

GeoComply provides fraud prevention and cybersecurity solutions that detect location fraud and help verify a user's true digital identity.

Cybersecurity Agency of Catalonia - Spain

Cybersecurity Agency of Catalonia - Spain

Cybersecurity Agency of Catalonia is responsible for implementing public policies in the field of cybersecurity and developing the cybersecurity strategy of the Generalitat de Catalunya.

Solid8 Technologies

Solid8 Technologies

Solid8 Technologies is a value added distributor and innovation incubator partnering with leading global Cyber Security software Vendors.

Strata Horizon

Strata Horizon

Strata Horizon is a leading cybersecurity solutions provider in the UAE, offering innovative and comprehensive services to safeguard your organization from evolving digital threats.