Fraudsters managed to steal USD 500,000 worth of crypto in a matter of days using a new phishing method. They take advantage of Google Ads to redirect users to fake crypto wallets.
According to a Check Point Research report, these cybercriminals carried out their actions by buying Google Ads for their sites that imitated several popular crypto wallets. One of them is the Phantom wallet and MetaMask which are widely used to store Solana and Ethereum.
When someone searches for 'phantom' on Google, the Google Ad search results that appear at the very top will direct them to a phishing site that is made to look like the original site. The user is then faced with a fake login page.
If the user chooses to login with his username and password, those credentials will be stored by the fraudster. If the user chooses to create a new wallet, they will be prompted to use a recovery password which then puts them into a wallet controlled by the fraudster.
"This means that if they transfer the funds, the attacker will get it right away," said Check Point Research, as quoted by The Verge, Monday (11/8/2021).
Check Point Research also found that scammers were using fake URLs that looked similar to the real thing to trick users. For example, the user will be redirected to the site phanton.app or phantonn.app, even though the correct site is phantom.app.
Check Point Research researchers say they started noticing scams like this after seeing complaints from crypto investors on Reddit and other forums about their funds suddenly disappearing. They estimate this phishing campaign has fetched half a million dollars in a few days.
"I believe the city is facing a new cybercrime trend, where fraudsters are using Google Search as the primary attack vector to reach crypto wallets, instead of traditional phishing via email," said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point.
"And what is most worrying is that several groups of fraudsters are bidding on keywords in Google ads, which may signal the success of this new phishing campaign aimed at robbing crypto wallets."
When asked for comment by The Verge, a Google spokesperson said such actions violate their policies. The scammer's account has been suspended, and the ads have also been removed.
To avoid crypto phishing scams like these, Check Point Research advises users to click on actual search results, not Google Ads, and always check the URLs of the sites visited.