Check Point Research (CPR) is warning of scammers who use Google Ads to steal crypto wallets, after seeing hundreds of thousands of dollars’ worth of cryptocurrency taken from victims this past weekend.
Scammers are placing ads at the top of Google Search that imitate popular wallet brands, such as Phantom and MetaMask, to trick users into giving up their wallet passphrase and private key.
CPR estimates that over $500 000 worth of crypto was stolen in a matter of days.
To lure their victims, scammers placed Google Ads at the top of Google Search that imitated popular wallets and platforms, such as Phantom App, MetaMask and Pancake Swap.
Each advertisement contained a malicious link that, once clicked, directed a victim into a phishing website that copied the brand and messaging of the original wallet website.
From here, the scammers tricked their victims into giving up their wallet passwords, setting the stage for wallet theft.
“In a matter of days, we witnessed the theft of hundreds of thousands of dollars’ worth of crypto. We estimate that over $500 000 worth of cyrpto was stolen this past weekend alone,” says Oded Vanunu, head of products vulnerabilities research at Check Point.
“I believe we’re at the advent of a new cybercrime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email.
“In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging.
“And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets.
“Unfortunately, I expect this to become a fast-growing trend in cybercrime. I strongly urge the crypto community to double check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.”
CPR found 11 compromised wallet accounts, each of them containing between $1 000 and $10 000. CPR went on to learn that the scammers withdrew some of the funds already before CPR’s discovery.
CPR offers some advice to protect against wallet theft:
* Examine the browser URL. Only the extension should create the passphrase, and to understand if this is an extension or a website always look at the browser URL.
* Look for the extension icon. The extension will contain an extension icon near it and a Chrome-extension URL.
* Never give out your passphrase. Users should never give out their passphrase, no one should ever ask for that. and it will be used again only when installing a new wallet.
* Skip the ads. If you are looking for wallets or crypto trading and swapping platforms in the crypto space, always look at the first website in your search and not in the ad, as these may mislead you to getting scammed by the attackers.
* Take a look at the URL. Always double-check the URLs.