 [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)March 21, 2025 2 Min Read  Source: Zoonar GmbH via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials&title=Attackers%20Pivot%20to%20SEMrush%20Spoof%20to%20Steal%20Google%20Credentials)[](mailto:?subject=Attackers Pivot to SEMrush Spoof to Steal Google Credentials&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Attackers%20Pivot%20to%20SEMrush%20Spoof%20to%20Steal%20Google%20Credentials%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fattackers-semrush-steal-google-credentials) NEWS BRIEFSEO professionals are the latest group being targeted by malicious actors, at least according to a pair of researchers who’ve found that malicious SEMrush [Google ads](https://www.darkreading.com/remote-workforce/fake-google-ads-lure-corporate-workers-download-lobshot-backdoor) are reeling victims in.SEMrush is a digital marketing software that assists in a wide variety of tasks, including SEO, PPC, content marketing, and social media working. The platform is used by advertisers, e-commerce businesses, digital marketers, and others.Jerome Segura, Malwarebytes researcher, and Elie Berreby, SEO strategist, believe that this a type of ‘cascading fraud’ of the type that Malwarebytes discovered recently involving fake Google Ads accounts getting hijacked to create new malicious ads. That starts a never-ending cycle leading to more and more compromised accounts. Now, though, it seems that the same cybercriminals have regrouped and are taking an indirect approach to [hack Google advertisers](https://www.darkreading.com/vulnerabilities-threats/attackers-hijack-google-advertiser-accounts-malware).The new tactic involves SEO poisoning, using Google Ads to promote malicious SEMrush results when users enter in certain search terms. After clicking the ad, users are taken to a phishing site that appears to be SEMrush; it has similar domain names to the real thing, but is really a fraudster using a different top-level domain than the legitimate company. Users are prompted to enter their Google credentials on a fake login page, which are then sent directly to the threat actors.’As Google Search is a central part of the SEO and ad ecosystems, individuals and businesses who inadvertently click on a malicious ad are at a major risk of losing extremely sensitive data and feel the impact of fraud on many levels,’ [said the researchers](https://www.malwarebytes.com/blog/news/2025/03/semrush-impersonation-scam-hits-google-ads). Many SEMrush accounts are integrated with other Google accounts, meaning that these threat actors are capable of gaining access to a host of sensitive company data.’This should be a wakeup call to take steps to prevent such exposure’ add the researchers, ‘by enforcing guard rails to anyone who manages an account for themselves or a company.’ Read more about:[News Briefs](/keyword/news-briefs) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/attackers-semrush-steal-google-credentials&title=Attackers%20Pivot%20to%20SEMrush%20Spoof%20to%20Steal%20Google%20Credentials)[](mailto:?subject=Attackers Pivot to SEMrush Spoof to Steal Google Credentials&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Attackers%20Pivot%20to%20SEMrush%20Spoof%20to%20Steal%20Google%20Credentials%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fattackers-semrush-steal-google-credentials) About the Author—————- [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)
Skilled writer and editor covering cybersecurity for Dark Reading. [See more from Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Beyond Replication -& Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr137&ch=SBX&cid=_upcoming_webinars_8.500001541&_mc=_upcoming_webinars_8.500001541)Mar 25, 2025* [What is the Right Role for Identity and Access Management in Your Enterprise?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dels15&ch=SBX&cid=_upcoming_webinars_8.500001529&_mc=_upcoming_webinars_8.500001529)Mar 26, 2025* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025* [-[Dark Reading Virtual Event-] Cybersecurity’s Most Promising New and Emerging Technologies](https://ve.informaengage.com/virtual-events/cybersecuritys-most-promising-new-and-emerging-technologies/?ch=SBX&cid=_session_16.500328&_mc=_session_16.500328)Mar 20, 2025[More Events](/events)You May Also Like*** ** * ** ***[Cyberattacks -& Data BreachesSlack Patches AI Bug That Exposed Data in Private Channels](https://www.darkreading.com/cyberattacks-data-breaches/slack-ai-patches-bug-that-let-attackers-steal-data-from-private-channels) [Cyberattacks -& Data BreachesDNC Credentials Compromised by ‘IntelFetch’ Telegram Bot](https://www.darkreading.com/cyberattacks-data-breaches/dnc-credentials-compromised-intelfetch-telegram-bot) [Cyberattacks -& Data BreachesFeds Warn of North Korean Cyberattacks on US Critical Infrastructure](https://www.darkreading.com/cyberattacks-data-breaches/feds-warn-of-north-korean-cyberattacks-on-us-critical-infrastructure) [Cyberattacks -& Data BreachesLeak Site BreachForums Springs Back to Life Weeks After FBI Takedown](https://www.darkreading.com/cyberattacks-data-breaches/leak-site-breachforums-springs-back-to-life-weeks-after-fbi-takedown)
Related Tags:
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: Dark Reading
Phishing
Software Discovery: Security Software Discovery
Software Discovery
Associated Indicators: