FBI warns of cybercriminals abusing search ads to promote phishing sites

The Federal Bureau of Investigation says that cybercrime gangs are using search results and search engine ads to lure victims on phishing sites for financial institutions in order to collect their login credentials.

"The schemes resulted in illicit ACH transfers amounting to hundreds of thousands of dollars in financial losses," the FBI said in a private industry notification (PIN) send to the US private sector on Tuesday.

The PIN alert, which The Record cannot share due to TLP sharing restrictions, describes a particular phishing campaign mimicking the brand of an unnamed US-based financial institution.

"The cyber actors conducted two versions of the scheme," the FBI said.

In the first version, the threat actor used search engine ads, while in the second version, they relied on the phishing site appearing in organic search results on its own.

In both versions of the scheme,the spoofed portal prompted customers to enter account credentials and telephone numbers,and to answer security questions.These actions failed to grant access, at which point the account holder would receive a telephone call from the cyber actor who falsely claimed to represent the financial institution. While this individual occupied the customer in a lengthy process purported to restore account access, an associate would access the financial institution's legitimate portal using the customer's stolen credentials and initiate wire transfers from the account. Victims subsequently learned about the illicit transfers from the financial institution or when they eventually logged into the correct portal.

FBI PIN alert 20210511-001

Scheme has become very popular since at least last year

While the FBI said this particular campaign has been taking place since at least March 2021, this reporter has been looking into this new tactic since at least mid-2020.

A FireEye malware analyst who did not want his name shared for this article because he was not authorized to speak for the company told this reporter over the winter that placing search engine ads linking to malicious sites has become a go-to tactic for multiple groups and not just those looking to steal funds from bank accounts.

Threat actors also used similar search engine ads to draw users to phishing sites mimicking cryptocurrency-related portals and to sites peddling malware-laced downloads.

Benoit Ancel, a security researcher at the CSIS Security Group and one of today's leading malware hunters, has also previously noted this trend in a series of tweets last September.

Speaking if the devil "I need traffic from Google Ads to my fake EU banks, payment - 1k of traffic = 1k $ +% of profit. Priority is given to people with similar experience." pic.twitter.com/UYxsqH4nzo

— Benkøw moʞuƎq (@benkow_) September 6, 2020

While threat actors have used search ads in previous years, the trend has gained momentum over the past year, especially after malware distribution channels like exploit kits and email spam started to lose their efficacy in recent years as web browsers and email service providers have gotten better at spotting abuse.