Over the weekend, the security firm observed hundreds of thousands of dollars worth of cryptocurrency stolen from users’ crypto wallets by scammers.
While scammers traditionally use email to launch their phishing campaigns, in this case, they placed Google Ads at the top of Google Search imitating popular crypto wallets and platforms including Phantom App, MetaMask and Pancake Swap in an attempt to lure their victims. At the same time, multiple scamming groups are now bidding for wallet-related keywords on Google Ads and are using Google Search as an attack vector to target victims’ crypto wallets.
Each of the fake advertisements used in the campaign contain a malicious link that when clicked, directs victims to a phishing site which copies the brand and messaging of the original crypto wallet website. From here, the scammers trick their victims into giving up their wallet passwords in order to steal their contents.
Compromised crypto wallets
Once a victim navigates to the scammers’ fake websites, they attempts to steal their passphrase if they already have a crypto wallet with the service or they provide a new passphrase for those creating a wallet for the first time. Either way though, the scammers gain access to a victim’s crypto wallet and can then proceed to steal all of their cryptocurrency.
Check Point found 11 compromised wallet accounts with each of them containing between $1k to $10k in cryptocurrency. However, by cross-referencing Reddit forums where victims reported that the funds in their crypto wallets had been stolen, the firm estimates that over $500k was stolen during this past weekend alone.
Head of products vulnerabilities research at Check Point, Oded Vanunu provided further insight in a blog post on how scammers are now using Google Ads in Google Search to deliver their phishing campaigns, saying:
“In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cyber crime. I strongly urge the crypto community to double check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”
To avoid falling victim to this scam and others like it, Check Point recommends that users carefully examine all of the URLs they visit in their browser, avoid crypto ads as they could be fake and never give out their passphrase to anyone online.