WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials.
Kinsta says the phishing attacks aim to steal login credentials for MyKinsta, a key service the company offers to manage WordPress and other cloud-based apps.
In an email sent to its customers, Kinsta said it has identified that the attackers are leveraging Google Ads, targeting individuals who have previously visited Kinsta’s official websites. The threat actors create sponsored websites that closely mimic Kinsta’s, tricking users into clicking on them.
“We are writing to alert you to a phishing scam where attackers use fraudulent sites to gather MyKinsta login credentials,” Kinsta noted in an email seen by BleepingComputer.
“The attackers are using Google Ads to target people who have visited kinsta.com or my.kinsta.com. The sponsored websites are dangerous, and you should not click on any links with URLs other than kinsta.com or access fraudulent sites in any way.”
Kinsta emphasizes these sites are malicious, and users should be vigilant not to visit links that do not directly lead to the official kinsta.com or my.kinsta.com websites.
The company also recommends users enable two-factor authentication on their accounts to prevent access to the account even if credentials are stolen.
Further, the company cautioned that these attackers might also send phishing emails or other forms of communication, convincing users to log into the MyKinsta phishing sites through these malicious links to steal login credentials.
In response to these threats, Kinsta is actively identifying and taking down the phishing sites but warns users to take proactive steps to safeguard their accounts.
Kinsta recommended accessing MyKinsta directly by typing my.kinsta.com in the browser and disregarding any text messages claiming to be from Kinsta.
Google ads increasingly used by hackers
It is important to note that this is not an isolated incident with Google ads, where there has been a notable increase in similar incidents, including a deceptive ad for Amazon.
As BleepinpComputer spotted in August, bad actors had published an ad in Google search results that appeared to be for Amazon.
However, when users click on this ad, they are redirected to a tech support scam masquerading as a tech support page from Microsoft Defender.
Other Google ads promoted websites that pretended to be download sites for legitimate software, including Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.
However, these fake installers would install malware, such as Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID malware loader.