Malwarebytes researcher exposes phishing campaign targeting SEO pros
Jérôme Segura, a security researcher at Malwarebytes, has uncovered a new phishing campaign impersonating Semrush to target SEO professionals and businesses. The campaign aims to steal Google account credentials, granting attackers access to sensitive data within Google Analytics and Search Console, as well as information stored within Semrush itself.
Segura revealed that the campaign leverages malicious Google Ads that redirect users to fraudulent Semrush login pages. These pages, while mimicking the legitimate Semrush interface, only offer a "Log in with Google" option, tricking victims into entering their Google account credentials.
"With 40% of Fortune 500 companies and 117,000 paying customers relying on Semrush, the platform presents a highly attractive target for online criminals," Segura wrote in a blog post.
The campaign marks a shift in tactics from a previous phishing operation that targeted Google accounts directly through Google Ads and abused Google Sites. Researchers believe the perpetrators have adapted their approach, opting for a less direct but potentially equally effective method.
Data theft and potential for further fraud
Compromised Google accounts provide attackers with access to valuable data within Google Analytics (GA) and Google Search Console (GSC). This includes detailed website performance metrics, user behavioral patterns, and financial data such as revenue and transaction volumes.
"E-commerce tracking in GA shows revenue, transaction volumes, average order values, and conversion rates by channel (organic search, paid ads). When malicious actors access the Google Analytics account, they can see a wealth of confidential information belonging to the publisher. For companies, this is a direct peek into financial performance," the blog post reads.
Furthermore, the attackers can leverage information stored within Semrush accounts, such as names, phone numbers, business addresses, and partial credit card details, to conduct further fraudulent activities. This includes impersonating businesses to deceive vendors and partners, or tricking victims into providing full credit card details under the guise of Semrush support.
Some of the malicious domains identified include:
Adsense-word[.]com
seemruush[.]com
semrush-auth[.]com
Auth[.]semrush[.]help
Sem-rushh[.]com
semrush[.]works
Semrush[.]click
semrush[.]tech
Warning and prevention
The discovery of this campaign serves as a stark reminder of the persistent threat of brand impersonation and the importance of vigilance in online security. Researchers urge individuals and businesses to implement robust security measures to protect their accounts and sensitive data.
"This should be a wakeup call to take steps to prevent such exposure by enforcing guard rails to anyone who manages an account for themselves or a company," the blog post concluded.
