Crypto-criminals are using Google Ads to target victims with fraudulent wallets that steal credentials and empty accounts. So far, the cyber-thieves appear to have stolen more than $500,000 and counting.
As per a recent Check Point Research analysis, the ads appear to connect to popular crypto-wallets Phantom and MetaMask for download.
Based on the research, attackers began their hunt for potential victims by utilizing Google Ads and clicking on the fraudulent Google Ad leads to a malicious site that has been falsified to seem like the Phantom (or sometimes MetaMask) wallet site.
The researchers stated, “Over the past weekend, Check Point Research encountered hundreds of incidents in which crypto-investors lost their money while trying to download and install well-known crypto wallets or change their currencies on crypto-swap platforms like PancakeSwap or Uniswap.”
After that, the target is prompted to create a new account with a "Secret Recovery Phrase." They must also construct a password for the alleged account (which is harvested by the attackers). As per Check Point, users are subsequently given a keyboard shortcut to open the wallet and then directed to the legitimate Phantom site.
The legitimate site offers users the Phantom wallet Google Chrome extension.
Crypto-criminals have also targeted MetaMask wallets by purchasing Google Ads that drove users to a fake MetaMask site.
The analysts further stated, “In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto. We estimate that over $500k worth of crypto was stolen this past weekend alone. I believe we’re at the advent of a new cybercrime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email.”
“In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cybercrime. I strongly urge the crypto community to double-check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”
Check Point researchers recommended a few protective measures:
- Verify the browser's URL: Only the extension should create the password, and always check the browser URL to see if it's an extension or a website.
- Find the icon for the extension: The extension will have a chrome-extension URL and an extension icon near it.
- Skip the ads. If users are looking for wallets, crypto trading, and swapping platforms in the crypto world, always look at the first website that comes up in the search rather than the ad, since they might lead to users being fooled by attackers.
- Take a look at the URL: Last but not least, make sure the URLs are double-checked.
