Post

The Semrush Impersonation Scam Infiltrating Google Ads

Discover how cybercriminals are leveraging Semrush impersonation to hijack Google Ads accounts. Learn about the phishing tactics, the impact on businesses, and how to protect yourself.

The Semrush Impersonation Scam Infiltrating Google Ads

TL;DR

Cybercriminals are exploiting Semrush’s popularity to phish Google Ads accounts, leading to significant data breaches and financial risks. This scam involves redirecting users to fake Semrush login pages, ultimately targeting Google credentials. Businesses and individuals must take proactive measures to safeguard their accounts and sensitive information.


The Semrush Impersonation Scam Infiltrating Google Ads

Cybercriminals are increasingly targeting online marketing and advertising tools to fuel their malware campaigns. Previously, we detailed how Google Ads accounts can be hijacked to create malicious ads, perpetuating a cycle of compromised accounts1. Recent investigations have uncovered a new operation targeting Semrush, a popular visibility management SaaS platform offering SEO, advertising, and market research services.

With 40% of Fortune 500 companies and 117,000 paying customers relying on Semrush, the platform has become an attractive target for online criminals23. This article delves into how fraudsters are indirectly hacking Google Ads accounts and potentially gaining access to Semrush accounts through sophisticated phishing tactics.

The Evolution of Google Ads Phishing

In January, we documented a large phishing campaign targeting Google accounts via Google Ads, exploiting Google Sites1. The criminals behind this campaign have now shifted to a less direct but equally effective approach. A malicious ad for “Google Ads” redirected users to a fraudulent Semrush login page, where only the “Log in with Google” option was enabled. This forced victims to authenticate using their Google account credentials.

The Semrush Phishing Campaign

Shortly after, the campaign evolved to fully impersonate Semrush. New domain names, all variations of the Semrush name, were registered to support this infrastructure. Each ad used a unique domain name that redirected to static domains dedicated to fake Semrush and Google account login pages. The landing pages displayed two login options, but only the Google method was enabled, indicating the threat actors’ primary interest in harvesting Google accounts.

The Impact on Google Analytics and Search Console

Disclaimer: The following scenarios are illustrative and not based on actual compromises.

Google Analytics (GA) and Google Search Console (GSC) contain critical business information, including website performance, user behavior, and strategic insights. If a Google account is compromised, malicious actors can access this data directly, bypassing the need to log into Semrush. For instance, e-commerce tracking in GA reveals revenue, transaction volumes, and conversion rates, providing a direct view of a company’s financial performance.

Semrush Fraud and Spear-Phishing

Disclaimer: The following scenarios highlight the interconnectivity between Google and Semrush accounts but are not based on actual compromises.

Google Analytics and Google Search Console data are often integrated with tools like Semrush for enhanced analysis. For new projects, Semrush requests validation from a Google account to access GA and GSC data. Once validated, threat actors can export behavioral data and KPIs directly from GSC.

Additionally, a Semrush account contains sensitive information such as name, phone number, business name, address, email, and partial credit card details. Threat actors could use this information to impersonate individuals or businesses, deceiving vendors or partners into sending payments to fraudulent accounts.

Conclusion

Brand impersonation remains a favored tactic among cybercriminals to gain access to valuable account credentials. As Google Search is central to the SEO and ad ecosystems, individuals and businesses clicking on malicious ads risk losing sensitive data and experiencing multifaceted fraud. This serves as a wake-up call to implement robust security measures to prevent such exposures.

Malwarebytes customers are protected against the malicious ads and sites used in this campaign. We have reported all incidents directly to Google.

We would like to thank the folks at Silent Push for giving us access to their platform, enabling us to uncover additional infrastructure.

Malicious Semrush Domains

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
adsense-word[.]com
auth[.]semrush[.]help
sem-russhh[.]com
sem-rushhh[.]com
sem-rushh[.]com
semrush[.]click
semrussh[.]sbs
semrush[.]tech
seemruush[.]com
semrush-auth[.]com
auth.seem-rush[.]com
ads-semrush[.]com
semrush-pro[.]co
semrush-pro[.]click
auth.sem-ruush[.]com
semrush[.]works

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

For more details, visit the full article: source


References

  1. Malwarebytes Labs (January 2025). “The great Google Ads heist: criminals ransack advertiser accounts via fake Google Ads”. Malwarebytes. Retrieved 2025-03-20. ↩︎ ↩︎2

  2. Semrush (2024). “Semrush 2024: A Year in Review”. Semrush. Retrieved 2025-03-20. ↩︎

  3. Semrush Investors (2025). “Semrush Announces Fourth Quarter and Full Year 2024 Financial Results”. Semrush. Retrieved 2025-03-20. ↩︎

This post is licensed under CC BY 4.0 by the author.