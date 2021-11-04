



Check Point Research (CPR) warns scammers who use Google Ads to steal cryptocurrencies after seeing hundreds of thousands of dollars worth of cryptocurrencies stolen from victims last weekend. Scammers have placed ads that mimic popular wallet brands such as Phantom and MetaMask at the top of Google Search to trick users into giving up their wallet passphrases and private keys.

CPR estimates that over $ 500,000 of ciphers were stolen in a matter of days. CPR shares screenshots of malicious Google ads and phishing websites that led victims to theft, encourages the crypto community to maintain high alerts, and provides people with five security tips. Protection About how to maintain

Over the weekend, Check Point Research (CPR) observed hundreds of thousands of dollars worth of cryptography stolen from wallets by fraudsters. Scammers have placed Google ads at the top of Google Search that mimic popular wallets and platforms such as Phantom App, MetaMask, and Pancake Swap to seduce victims. Each ad contained a malicious link that, when clicked, directed the victim to a phishing website and copied the brand and message of the original wallet website. From here, the scammers tricked the victim into giving up the wallet password and preparing for the wallet theft.

Traditionally, phishing campaigns start with email. What seems to be a new trend is that multiple fraudulent groups are bidding on Google Ads wallet-related keywords and using Google search as an attack vector targeting victims’ crypto wallets.

How fraud works Phishers place Google Ads that appear first in search queries related to cryptocurrency wallets Victims click on malicious links in Google Ads Victims with the original wallet website Go to a phishing website that looks the same Fake website tries to steal a passphrase if you already have a wallet.Or provide a new passphrase for your newly created wallet Either way, the scammer can access your wallet and steal all your cryptocurrencies.

For the domain phantom.app, CPR encountered phishing variants such as phanton.app and phantonn.app, or various extensions such as .pw.

As mentioned above, each malicious ad leads to a phishing website.

Figure 3. Rogue Phantom website next to the original Phantom website

Observed victims

CPR has found 11 compromised wallet accounts. Each account includes $ 1,000 to $ 10,000. CPR learned that the scammers had already withdrawn some of their money before the discovery of CPR. By cross-referencing the Reddit forums where victims have declared theft, CPR estimates that more than $ 500,000 was stolen last weekend.

Quote: Check Point Head of Product Vulnerability Investigation, Oded Vanunu:

Within days, I witnessed the theft of hundreds of thousands of dollars worth of cryptography. It is estimated that over $ 500,000 of ciphers were stolen last weekend alone. I believe it was the arrival of a new cybercrime trend in which scammers use Google search as the primary attack vector to reach crypto wallets instead of phishing via traditional email. In our observation, each ad had a careful message and keyword selection, as it stands out in the search results. The victim-guided phishing website reflects a close copy and imitation of the wallet brand’s message. And most worrisome is that multiple groups of scammers are bidding on Google Ads keywords. This could be a sign of the success of these new phishing campaigns aimed at robbing crypto wallets. Unfortunately, I think this will be a fast-growing trend in cybercrime. At this time, we strongly recommend that you double-check the URLs that the crypto community clicks on and avoid clicking on Google Ads related to your crypto wallet.

How to protect yourself

1. Look up the URL of your browser. Only the extension needs to create a passphrase, and always check the URL of your browser to understand if this is an extension or a website.

2. Look for the extension icon. The extension contains the extension icon and the URL of the Chrome extension nearby.

3. Never give your passphrase. The user should never give the passphrase. No one should ask for it.Will only be used again when installing a new wallet

4. Skip ads. If you’re looking for a wallet or crypto trading and swapping platform in crypto space, always look at the first website of your search, not advertising. These are because they can be fooled by attackers.

5. Check the URL. Last but not least, always double check the URL.

To read the full survey goto: research.checkpoint.com

