Hackers use fake Semrush ads to steal Google accounts
A fresh wave of online scams is putting business users at serious risk, as cybercriminals exploit trusted SEO tools and Google logins to steal sensitive data and billing details.
Cybercriminals are using fake adverts for popular SEO platform Semrush to trick users into giving up access to their Google accounts, researchers have warned.
The malvertising campaign features ads that link to a bogus Semrush login page, which only allows users to sign in via Google, a tactic designed to steal high-value credentials.
According to Malwarebytes, Semrush accounts are often linked to critical Google services such as Analytics and Search Console.
These tools store confidential business insights, which threat actors could exploit for strategic and financial gain. The scammers may also access names, phone numbers, business details, and partial card information through compromised Semrush accounts.
By impersonating Semrush support, attackers could deceive users into revealing full card details under the pretence of payment or billing updates. However, this may open the door to wider fraud, such as redirecting funds from vendors or business partners.
With Semrush serving over 117,000 customers, including a significant share of Fortune 500 firms, the attack underscores the growing risks of malvertising on platforms like Google.
Security experts are urging businesses to tighten account access controls and remain cautious when engaging with search ads, even from seemingly reputable brands.
For more information on these topics, visit diplomacy.edu.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.