Scammers used Google Ads to Steal ~ $500k Worth of Cryptocurrency

17
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software

Check Point Research (CPR) warns of scammers using Google Ads to steal crypto wallets, after seeing hundreds of thousands of dollars’ worth of cryptocurrency taken from victims this past weekend. Scammers are placing ads at the top of Google Search that imitate popular wallet brands, such as Phantom and MetaMask, to trick users into giving up their wallet passphrase and private key.  

·       CPR estimates that over $500k worth of crypto was stolen in a matter of days

·       CPR shares screenshots of the malicous Google Ads and phishing websites that navigated victims into theft

·       CPR urges the crypto community to stay on high-alert, offering five safety tips for people on how to stay protected 

Over the weekend, Check Point Research (CPR) observed hundreds of thousands of dollars worth of crypto stolen from wallets by scammers. To lure their victims, scammers placed Google Ads at the top of Google Search that imitated popular wallets and platforms, such as Phantom App, MetaMask and Pancake Swap. Each advertisement contained a malicious link that, once clicked, directed a victim into a phishing website that copied the brand and messaging of the original wallet website. From here, the scammers tricked their victims into giving up their wallet passwords, setting the stage for wallet theft. 

Traditionally, phishing campaigns originate in email. In what appears to be a new trend, multiple scamming groups are now bidding for wallet-related keywords on Google Ads, using Google Search as an attack vector to target victims’ crypto wallets. 

How the Scam Works 

1.       Scammer places a Google Ad to appear first on a search query related to a crypto wallet 

2.       Victim clicks on malicious link in Google Ad 

3.       Victim is navigated to a phishing website that looks identical to the original wallet website

4.       The fake website attempts to steal your passphrase, if you already have a wallet; or will provide you with a new passphrase for your newly created wallet 

5.       In both ways, the scammer gains access to your wallet and can proceed to steal all your cryptocurrency

What the Scams Look Like 

For the domain “phantom.app”, CPR encountered phishing variants like phanton.app or phantonn.app, or even different extensions like “.pw” and more.

As described above, each malicious advertisement leads to a phishing website. 

Victims Observed 

CPR found 11 compromised wallet accounts, each of them containing between $1K to $10K. CPR went onto learn that the scammers withdrew some of the funds already before CPR’s discovery. By cross-referencing Reddit forums where victims voiced their theft, CPR estimates that over $500k was stolen over the past weekend. 

Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software said: 

“In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto. We estimate that over $500k worth of cyrpto was stolen this past weekend alone. I believe we’re at the advent of a new cyber crime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email. In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cyber crime. I strongly urge the crypto community to double check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”

How to Protect Yourself 

1.       Examine the browser URL. Only the extension should create the passphrase, and to understand if this is an extension or a website always look at the browser URL.

2.       Look for the extension icon. The extension will contain an extension icon near it and a chrome-extension URL:

3.       Never give out your passphrase. Users should never give out their passphrase, no one should ever ask for that. and it will be used  again only when installing a new wallet

4.       Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space, always look at the first website in your search and not in the ad, as these may mislead you to getting scammed by the attackers.

5.       Take a look at the URL. Last but not least – always double-check the URLs!