Data from Google Ads coupled with blockchain analytics reveals that over $4 million has been stolen from users that have fallen for malicious phishing websites promoted on Google.
According to Web3 anti-scam service provider ScamSniffer, malicious adverts for phishing websites have been prevalent on Google ads searches in recent weeks. The URLs lead to fraudulent websites that prompt wallet login signature requests that compromise users’ addresses.
A number of decentralized finance protocols, websites and brands, including Zapper.fi, Lido, Stargate, DefiLlama, Orbiter Finance and Radiant, have been targeted by scammers. Slight changes to official URLs make it difficult for users to identify that they’ve clicked on malicious links.
Analysis of metadata from a number of the phishing websites in question has been linked to advertisers located in Ukraine and Canada. The users responsible for placing the malicious adverts make use of a number of methods to bypass Google’s ad review process. This includes manipulating the Google Click ID parameter, which allows the attackers to show a normal webpage during Google’s ad review.
Other malicious adverts use anti-debugging methods to redirect users with developer tools enabled to a normal website, while a direct click takes users to the malicious website. This also allows scammers to bypass some of Google ads’ machine reviews. On-chain data analysis from addresses linked to malicious websites advertised on Google from ScamSniffer’s database suggests that $4.16 million has been stolen from over 3,000 users over the past month.