{"id":34554,"date":"2025-05-20T21:38:56","date_gmt":"2025-05-20T19:38:56","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/semrush-phishing-websites-in-google-ads\/34554\/"},"modified":"2025-05-20T21:38:56","modified_gmt":"2025-05-20T19:38:56","slug":"semrush-phishing-websites-in-google-ads","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/semrush-phishing-websites-in-google-ads\/34554\/","title":{"rendered":"Fake websites popping up in Google search ads"},"content":{"rendered":"

Many company employees use various online services through their web browsers every day. Some of them remember website addresses they use frequently and type them in directly, while others \u2013 probably most \u2013 save bookmarks. Then there are folks who type the service name into a search engine every time and just click the first link that comes up. These are apparently the kind of users that cybercriminals target when they promote their fake (phishing) sites through Google Ads. This promotion makes the fake pages show up higher in search results than the respective authentic websites.<\/p>\n

According to Google\u2019s Ads Safety Report<\/a>, 2024, Google blocked or removed a whopping 415 million ads last year for breaking their rules \u2013 mostly \u00a0by running scams. The company also blocked five million advertising accounts that were placing these kinds of ads. This gives you an idea of the sheer scale of the problem. Google Ads is an incredibly popular tool for cybercriminals to spread their malicious content. Although a significant proportion of these schemes target regular home users, there\u2019ve been stories lately about scammers going after Semrush or even Google Ads business accounts.<\/p>\n

Fake Semrush pages<\/h2>\n

Semrush<\/a> is a popular tool that helps you find keywords, analyze your competitors\u2019 websites, track backlinks, and so on. It\u2019s used by SEO pros all over the world. For better performance, Semrush is often integrated with Google Analytics and Google Search Console. Accounts in those services can hold a ton of private business information \u2013 such as revenue reports, marketing strategies, analysis of customer behavior, and a lot more.<\/p>\n

If cybercriminals can gain access to a Semrush account, they can use that information they find there to launch more attacks on other employees, or just sell the access on the dark web.<\/p>\n

It\u2019s small wonder that some crooks have launched a phishing campaign<\/a> that targets SEO professionals. They set up a series of websites whose design closely mimics the Semrush sign-in page. To appear legitimate, the scammers employed multiple domain names that included the name of the company they were imitating: semrush[.]click<\/em>, semrush[.]tech<\/em>, auth.seem-rush[.]com<\/em>, semrush-pro[.]co<\/em>, sem-rushh[.]com<\/em>, and so on. And they use Google Ads to promote all these fake sites.<\/p>\n

The only way to tell the fake pages from the real one is by checking the website address. Just like the real Semrush sign-in page, the fake pages show two main ways to authenticate: using a Google account, or by typing in your Semrush username and password. But the criminals have cleverly blocked the fields where you would type in your Semrush credentials; therefore, the victims don\u2019t have any other choice but to try signing in with Google.<\/p>\n

Another fake page then opens that does a no-less-convincing job imitating the Google account sign-in page. Of course, any Google account credentials entered there go straight to the scammers.<\/p>\n

Fake Google Ads in Google Ads<\/h2>\n

An even more intriguing twist on the same type of attack saw the cybercriminals leveraging Google Ads to promote fake versions of\u2026 Google Ads<\/a>! The way it works is quite similar to how they go after Semrush credentials \u2013 but with one really interesting nuance: the website address shown in the fake Google Ads ad is exactly<\/em> the same as the real one (ads.google[.]com<\/em>)!<\/p>\n

The scammers have been able to pull this off by using another Google service: Google Sites, a website-building platform. According to the Google Ads rules, an ad can show the address of any page as long as its domain matches the domain of the actual website the ad redirects to. So, if the attacker creates an intermediate website with Google Sites, it has a google.com<\/em> domain name, which means they\u2019re allowed to display the ads.google.com<\/em> address in their ad.<\/p>\n

Links from this temporary site then redirect to a page that looks just like the Google Ads sign-in. If the user fails to notice they\u2019ve left the real Google pages and types in their login information, it lands right in the hands of the cybercriminals.<\/p>\n

How to keep your company safe from phishing<\/h2>\n

The only way to comprehensively solve the problem of malicious websites being promoted through Google Ads is for Google itself to step up. To their credit, in both the cases described above (the fake Google Ads pages and Semrush sites), the company did take action quickly by removing them from the top of the search results.<\/p>\n

To keep your organization safe from these kinds of phishing attacks, we recommend doing the following:<\/p>\n