Cybercriminals are increasingly exploiting the popularity of Semrush, a widely used SEO, advertising, and market research SaaS platform, to steal Google account credentials, according to researchers from Malwarebytes. The researchers uncovered a sophisticated campaign involving a series of malicious ads that appear on Google Search when users search for Semrush-related services.
Each malicious ad in the campaign is tied to a unique domain name, which redirects users to a static domain specifically designed to display the fraudulent Semrush and Google account login pages.
Once users click on the ads, they are confronted with a page that prompts them to sign in using their Google credentials. The legitimate option to log in with Semrush credentials is disabled, making it impossible for users to access the service without providing their Google login details.
The primary goal of this phishing scheme is to harvest Google account credentials. This gives attackers not only access to the victim’s Google account but also the potential to place additional malicious ads within Google Ads.
Additionally, Semrush accounts are frequently tied to high-value Google accounts, particularly for businesses that rely on the platform for SEO and analytics purposes. Once cybercriminals gain access to both a Semrush and Google account, they can extract a wealth of confidential information. Google Analytics (GA) and Google Search Console (GSC) contain highly sensitive data about a website's performance, user behavior, and business strategies.
Besides Google Analytics and Search Console data, Semrush accounts store valuable personal and business information that could be exploited by cybercriminals. This includes the victim’s name, phone number, business details, email address, and even the last four digits of a Visa card. Using this data, attackers could easily impersonate the victim or their business, gaining further access to financial accounts or other confidential business materials.
