Security analysts at Check Point Research report that scammers have ripped off more than $500,000 in cryptocurrency in just a few days over the weekend. The scam involves placing Google Ads to funnel unsuspecting victims to phishing sites.
Check Point says the scammers place Google Ads designed to look like official wallet websites like Phantom App or MetaMask. Researchers even saw scams mimicking crypto exchanges such as Pancake Swap. Since these are advertisements, they appear above the actual search results, so they are the first thing the victims see and are very convincing in appearance.
Clicking the ad takes users to a webpage designed to look as close to the official website as possible. Existing users are prompted to sign in, which steals their credentials for the scammers to use later. What is more insidious is that victims are presented with a passphrase to an account that the attackers control when creating a new wallet. In other words, deposits go directly to the criminals without them having to do anything.
While the search results and web pages might look genuine enough, the URLs give the scams away. For example, CPR said it saw several variants for the phantom.app domain, including phanton.app, phantonn.app, and even phantonn.pw. The URLs are clearly wrong, but some people might not notice.
Indeed, researchers cross-referencing Reddit posts from people who got scammed discovered many of them fell victim to these deceptive ads and websites.
“In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto,” said Check Point’s Head of Products Vulnerabilities Research Oded Vanunu. “We estimate that over $500k worth of cyrpto was stolen this past weekend alone. I believe we’re at the advent of a new cyber crime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email.”
The researchers note they have seen a rise in these types of advertised phishing attempts recently. Multiple scammer groups have placed bids with Google Ads for keywords related to cryptocurrency. Check Point believes this indicates the method has proven effective enough for further investment.
The key takeaway here is to be very careful and vigilant when dealing with crypto wallets. Scammers already place fake ads for traditional banking institutions like Wells Fargo, so why not for crypto. It’s relatively new, and there are likely more people who are less careful with their crypto than they are when dealing with their banking websites.
As a general rule of thumb when looking for crypto wallets, skip Google Ads in your search results. Either use an ad blocker like AdGuard or scroll down to where the actual results begin. Pay attention to the URL, and be sure that it’s not composed with a clever spelling error like phantum.app, and know your extensions. MetaMask’s domain is metamask.io. Going to a result like metamask.com is likely to lead you to a scam.