This new large-scale phishing campaign involving over 200 websites and the impersonation of genuine brands is gaining momentum.

The campaign relies on the misuse of Google Ads and SEO in order to lure victims to hundreds of fake websites. On the sites, users are directed to enter personal information, including banking details.

According to security analysts, the campaign has resulted in more than a million dollars’ worth of financial damage.

Campaign construction

To understand this campaign, it’s best to have a sense of the context.

In India, the government recently introduced policies to increase the growth of the nation’s electric vehicle industry. The policies promise to yield growth of 90% (CAGR) for the market within the next 10 years. In short, electric vehicles will become a $200 billion marketspace.

In the wake of heightened interest in electric vehicles (EVs), hackers have leapt into action. Instead of sending batches of phishing emails to financial institutions, these hackers are now focused on EVs. Interest also extends to eBikes and the surrounding families of accessories.

How the campaign works

The hackers abuse Google Ads, mimicking well-known brands using fraudulent domains and keyword-stuffed pages. This technique guarantees the hackers a steady stream of victims.

In the majority of cases, the hackers have simply cloned a brands’ original website content, and copied the style, the layout and the graphics in order to deceive visitors.

In a handful of instances, hackers have built brand new, fictitious marketplaces around words such as “ebike” in order to solicit products from several different brands simultaneously.

Visitors to these sites are instructed to provide their full names, contact info and physical address for “platform registration” purposes.

After registration, scammers ask visitors to pay a fee in order to subscribe to the site. Many visitors do actually enter the “needed” information. This is how the banking theft begins.

Domain generation industry 

While threat analysts report 200 distinct phishing domains related to this campaign, they warn that the pool of domains receive constant refreshing. New sites pop-up when older sites are retired.

Experts believe that these scammers previously registered a large number of domains, and that they keep some of them “parked” for potential future use.

Impact of campaign

Per day, cyber security researchers have seen 100 – 200 users register on these phony sites. Nonetheless, financial losses may be as high as a million dollars.

To help prevent further Google Ads abuse, the researchers issuing the initial report about this campaign have reached out to Google.

Identification of fake sites

For impersonated enterprises, these types of attacks likely won’t cause much disruption. However, you may wish to report them to your state’s government office in order to assist investigators in stopping the scammers.

If you’re wondering about whether or not an advertisement is fake, consider visiting the vendor’s website directly by typing the URL into your browser.

For more information about this phishing campaign, visit Bleeping Computer.

Understanding the latest trends can help you protect your organization. Get additional phishing related insights throughout this week during #Phishingweek2022.