Scammers Use Google Ads To Steal Hundreds Of Thousands Of Dollars From Fake Crypto Wallets
The crypto world is full of dangers, with scammers on the prowl for newbies and novices alike. A recent report from security firm Check Point Research highlights a powerful form of attack: Using Google Ads to Direct Users to Fake Crypto Wallets. In its report, CP said it has seen around half a million dollars embezzled by these methods in the past few days alone.
Here is how the scam works. The attacker purchases Google Ads in response to searches for popular crypto wallets (this is the software used to store cryptocurrency, NFTs, etc.). The CPR says it has noticed scams targeting the Phantom and MetaMask wallets, which are the most popular wallets for the Solana and Ethereum ecosystems.
When an unsuspecting user searches for a “ghost” on Google, the result of the Google ad (which appears above actual search results) directs them to a phishing website that looks like a real website. Then, one of the following two things happens: either the user enters his credentials that the attacker keeps. Or, much stranger, if they try to create a new wallet, they’re told to use a recovery password that actually logs them into a wallet controlled by the attacker, not their own. “This means that if they transfer funds, the attacker will get it immediately,” explains CPR.
As with phishing scams in general, attackers rely on their bogus login pages to look as close to the real thing as possible. The CPR notes that they have seen attackers use fake URLs to trick users, directing them to phanton.app or phantonn.app, for example, instead of the correct phantom.app. The group has also seen similar phishing scams used to direct users to bogus crypto exchanges masquerading as legitimate outfits like PancakeSwap and UniSwap.
CPR researchers say they started noticing these scams after seeing crypto users complain about their losses on Reddit and other forums. They estimate that “at least half a million dollars” have been stolen in recent days.
“I think we are on the cusp of a new trend in cybercrime, where crooks will use Google search as the primary attack vector to reach crypto wallets, instead of traditionally phishing via email,” he said. CPR’s Oded Vanunu said in a press release. “The phishing websites that victims were directed to reflected meticulous copying and imitation of wallet brand messages. And what is most alarming is that several scam groups are bidding for keywords on Google Ads, which is probably a sign of the success of these new phishing campaigns which aim to steal crypto wallets.
When asked to comment on these reports, a Google spokesperson said, “This behavior directly violates our policies and we immediately suspended these accounts and removed the ads. It appears to be a malicious actor looking for ways to escape our detection. We are always adjusting our enforcement mechanisms to prevent these abuses. “
CPR offers a few tips for users who hope to avoid these pitfalls, including never clicking on Google Ads results, but instead looking at search results and always checking the URL of the site you are visiting.
Update, November 5, 11:03 am ET: Updated with comment from Google.