Scammers using Google Ads to steal $500k of cryptocurrency
Scammers used Google Ads to steal hundreds of thousands of dollars worth of cryptocurrency, according to Check Point Research.
Scammers are placing ads at the top of Google Search that imitate popular wallet brands, such as Phantom, MetaMask and Pancake Swap, to trick users into giving up their wallet passphrase and private key. CPR estimates that more than USD$500k worth of crypto was stolen in a matter of days.
Traditionally, phishing campaigns originate in email. In what appears to be a new trend, multiple scamming groups are now bidding for wallet-related keywords on Google Ads, using Google Search as an attack vector to target victims’ crypto wallets. Each advertisement contained a malicious link that, once clicked, directed a victim into a phishing website that copies the brand and messaging of the original wallet website.
How the Scam Works
According to CPR, a scammer places a Google Ad to appear first on a search query related to a crypto wallet. Victims then click on the malicious link in the Google Ad, and the victim is navigated to a phishing website that looks identical to the original wallet website. The fake website attempts to steal the user's passphrase if they already have a wallet; or will provide the user with a new passphrase for their newly created wallet. In both ways, the scammer gains access to the wallet and can proceed to steal all cryptocurrency.
What the Scams Look Like
For the domain “phantom.app”, CPR encountered phishing variants like phanton.app or phantonn.app, or even different extensions like “.pw” and more.
CPR found 11 compromised wallet accounts, each of them containing between USD$1K-10K. CPR went on to learn that the scammers withdrew some of the funds already before CPR’s discovery. By cross-referencing Reddit forums where victims voiced their theft, CPR estimates that more than $500k was stolen over the past weekend.
“In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto," says Oded Vanunu, head of products vulnerabilities research at Check Point Software.
"We estimate that over $500k worth of cyrpto was stolen this past weekend alone. I believe we’re at the advent of a new cyber crime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email.
"In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging," says Vanunu.
"And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets.
"Unfortunately, I expect this to become a fast-growing trend in cyber crime. I strongly urge the crypto community to double check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”
How to Protect Yourself
- Examine the browser URL. Only the extension should create the passphrase, and to understand if this is an extension or a website always look at the browser URL.
- Look for the extension icon. The extension will contain an extension icon near it and a chrome-extension URL:
- Never give out your passphrase. Users should never give out their passphrase, no one should ever ask for that. and it will be used again only when installing a new wallet
- Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space, always look at the first website in your search and not in the ad, as these may mislead you to getting scammed by the attackers.
- Take a look at the URL. Last but not least - always double-check the URLs!