Hackers Using Fake Semrush Ads to Steal Google Accounts Login Credentials

A sophisticated phishing campaign targeting Google account credentials through fake Semrush advertisements has emerged, posing a significant threat to digital marketers and SEO professionals.

Cybercriminals have deployed numerous malicious advertisements that appear legitimate in Google search results, leveraging Semrush’s growing popularity in the SEO industry to lure unsuspecting victims.

These fraudulent ads redirect users to convincing replicas of the Semrush login page, where they are prompted to authenticate with their Google accounts.

The attack represents a concerning evolution in phishing tactics, as it specifically targets professionals who use SEO and marketing platforms, potentially giving attackers access to valuable business analytics and competitive intelligence.

When victims click on these deceptive ads, they are redirected through a chain of domains before landing on the phishing page that closely mimics Semrush’s authentic login interface.

The attackers have meticulously designed these pages to appear legitimate, including properly formatted logos, layout, and messaging that creates a false sense of security.

Malwarebytes researchers identified that this campaign appears to be operated by the same threat actors who previously targeted Google Ads accounts using Google Sites earlier this year.

“We believe the criminals behind it likely regrouped and switched to a less direct approach, yet one that might deliver just as much,” noted security researcher Jérôme Segura in his analysis of the infrastructure.

The researchers discovered that while the phishing page displays both standard login options and “Log in with Google” buttons, only the Google authentication option is actually enabled.

The attackers have established an extensive network of malicious domains, all variations on the Semrush name, including semrush.tech, semrush-pro.click, ads-semrush.com, and semrush.works.

Each ad uses a unique domain that redirects to more static domains dedicated to the fake login pages, making detection and takedown more challenging.

Technical Infrastructure

Examining the attack chain reveals a sophisticated multi-stage redirection process.

When a victim clicks on one of these malicious ads, they are first sent to a primary domain (e.g., semrush.works/?gad_source=1&gclid=…) which returns a 200 status code before redirecting to a secondary phishing domain (e.g., sem-rushhh.com).

This secondary domain hosts the convincing Semrush-branded landing page that prominently features the Google authentication option.

The phishing form captures credentials and transmits them to the attackers’ servers, while presenting users with convincing error messages or redirects to maintain the illusion of legitimacy.

This carefully constructed deception chain demonstrates the increasing sophistication of modern phishing operations targeting business-critical platforms and credentials.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free