$4 Million Stolen Due to Google Search Ad Phishing

Background

ScamSniffer has investigated numerous cases of users falling victim to phishing scams through Google’s search ads in recent weeks. These users inadvertently clicked on malicious ads and were directed to fraudulent websites, resulting in substantial financial losses.

Malicious Ads

An investigation into the keywords used by victims has uncovered numerous malicious ads at the forefront of search results. Most users, unaware of the deceptive nature of search ads, click on the first available option, which leads them to fake and malicious websites.

Targeted Brands

Analysis of the keywords reveals that some of the malicious ads and websites target brands such as Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant. The table below provides an overview of the malicious ads associated with each keyword:

KeywordMalicious Ads
zapperwebapp-zapper.com, appfi-zapper.com
lidolido.is
stargatestargate-finances.online
defillamadefeilllama.com, defllllama.com
orbiter financeorbitered.finance
radiantradiantcapital.info

Malicious Websites

When you open a malicious advertisement from Zapper, you can see that it attempts to obtain authorization of my $SUDO by using a Permit signature. If you have installed the Scam Sniffer plugin, you will receive real-time risk alerts.

Currently, many wallets do not have clear risk warnings for this type of signature, and ordinary users may think it is a normal login signature and sign it without thinking twice. For more history on Permits, you can check out this article.

Malicious Advertisers

Analysis of the malicious ad information identifies the following advertisers as responsible for placing these ads:

  • ТОВАРИСТВО З ОБМЕЖЕНОЮ ВІДПОВІДА­ЛЬНІСТЮ «РОМУС-ПОЛІГРАФ» from Ukraine
  • TRACY ANN MCLEISH from Canada

Bypassing Review

The malicious ads employ several techniques to bypass Google’s ad review process, including:

Parameter Distinction

Fraudulent websites use the gclid parameter, which is employed by Google Ads to track clicks, to display different pages based on user sources. This allows them to show a normal webpage during the review phase, effectively bypassing Google’s ad review process. Learn more

Debugging Prevention

Some malicious ads use anti-debugging measures that redirect users to a normal website when Developer Tools are enabled and to a malicious website when accessed directly. This tactic helps bypass some of Google’s ad machine reviews.

These bypass techniques allow the malicious ads to deceive Google’s ad review process and ultimately cause significant losses for users.

Recommended Improvements for Google Ads

  • Integration of a Web3-focused malicious website detection engine (e.g., ScamSniffer)
  • Continuous monitoring of landing pages throughout the ad placement lifecycle to promptly identify dynamic switching or deception through parameters

Stolen Estimate

Analysis of on-chain data from addresses associated with the malicious ad websites in ScamSniffer’s database reveals that approximately $4.16 million has been stolen from around 3,000 victims, with most of the theft occurring in the last month.

Details: https://dune.com/scamsniffer/google-search-ads-phishing-stats

Fund Flow

By analyzing several larger fund collection addresses, it was found that some funds were deposited into SimpleSwap, Tornado.Cash, KuCoin, and Binance, among others.

0xe018b11f700857096b3b89ea34a0ef5133963370
0xdfe7c89ffb35803a61dbbf4932978812b8ba843d
0x4e1daa2805b3b4f4d155027d7549dc731134669a
0xe567e10d266bb0110b88b2e01ab06b60f7a143f3
0xae39cd591de9f3d73d2c5be67e72001711451341

ROI Estimation

Ad analysis platforms suggest that the average cost per click for these keywords is around $1-$2. Based on an estimated conversion rate of 40% and 7,500 users clicking on the ads, the advertising cost is approximately $15,000. This yields an estimated ROI of about 276% = 414/15 based on the cost per click.

Conclusion

The analysis reveals that the advertising cost of most phishing ads is relatively low. These malicious ads successfully deceive Google’s ad review process through technical means and disguises, resulting in their visibility to users and causing significant harm.

To minimize the risk of falling victim to such scams, users should exercise caution when using search engines and actively block content in the advertising area. Furthermore, it is crucial for Google Ads to strengthen its review process for Web3 malicious ads to better protect users.

Lastly, thanks to 23pds@SlowMist, @Tay, bax1337@ConvexLabs, SunSec@DeFiHackLabs, ZachXBT, and Teddy@Biteye for reviewing the data and content!

About Scam Sniffer

Scam Sniffer is an anti-scam platform that combined off-chain and on-chain monitoring data to provide real-time anti-scam protection for web3 users.

We’ve helped well-known platforms protect their users and are committed to making web3 secure for the next billion users.

Recent Articles

Related Stories