Fake Semrush ads used to steal SEO professionals’ Google accounts

A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.

Malwarebytes researcher Jerome Segura and SEO strategist Elie Berreby believe that the threat actor is after Google Ads accounts that would enable them to create new malvertising campaigns.

This type of “cascading fraud” has been gaining traction recently, as Malwarebytes uncovered in January a similar operation where fake Google Ads hosted on Google Sites targeted Google Ads accounts.

“We believe the criminals behind it likely regrouped and switched to a less direct approach, yet one that might deliver just as much,” explains Malwarebytes.

In this latest case, the cybercriminals abuse the Semrush brand, a popular software-as-a-service (SaaS) platform used for SEO, online advertising, content marketing, and competitive research.

Semrush is widely used by digital marketers, advertisers, e-commerce businesses, and large enterprises, including 40% of Fortune 500 companies.

Because Semrush integrates with Google Analytics and Google Search Console, customers often link valuable Google accounts containing sensitive business data—like revenue metrics, marketing strategies, and customer behavior, all attractive targets for cybercriminals.

Berreby told BleepingComputer that behind the campaign is a Brazilian threat group who specializes in targeting SaaS platforms and now is employing a particularly crafty technique.

“The scammers’ ultimate goal are Google accounts. But their second best option are SaaS credentials,” explained Berreby.

“If an enterprise Google account was linked in the past, there’s a possibility of exfiltrating sensitive Google data without compromising the Google account itself.”

Semrush campaign

In the latest campaign, cybercriminals use Google Ads to promote malicious Semrush results when users enter related search terms.

Clicking the ad takes users to a phishing site that looks like Semrush and uses the “semrush” domain names but with a different top-level domain than the legitimate company (semrush.com).

Some malicious domains used in the campaign are “semrush[.]click,” “semrush[.]tech,” auth.seem-rush[.]com,” “semrush-pro[.]co,” and “sem-rushh[.]com.”

Most of these domains remain online, but not all load the phishing page, suggesting that the threat actor is filtering their targets based on geographical location and other criteria.

The fake login page mimics Semrush’s interface but doesn’t offer the standard sign-in options, forcing visitors to log in via “Log in with Google” only.

When users enter their Google login details, the information is sent directly to the attackers.

Since many Semrush accounts are integrated with Google Analytics (GA) and Google Search Console (GSC), the threat actors may gain access to sensitive business data without compromising Semrush itself.

Regarding the persistence of malicious Google Ads and the tech giant’s failure to tackle this problem decisively, Berreby explained that it will take big decisions at the higher level to stop this.

“Jérôme Segura and I have had multiple chats with Google representatives in the past years about the cybersecurity risks of using Google Ads for malicious purposes. The answer from those well-meaning and hard-working people was always the same: ‘I’m just a cog in a huge machine’

“The problem is the people we talk with at Google cannot address the underlying issues because they are not decision-makers. They are diligently doing their best at an individual level, but that’s not enough, and frankly, that’s not acceptable for a giant tech company like Google that uses the most advanced machine learning solutions.”

Still, the CEO expert commended Google for responding quickly to their reports and taking down the malicious search results associated with the latest campaign.

To avoid getting trapped by Google Ads scams, avoid clicking on promoted/sponsored results, bookmark pages you access frequently to visit them directly, and always double-check that you landed on the official domain before logging in.

Using a password manager to fill out login boxes can also help because the data will be typed in on the domains the credentials were saved for.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Read the Red Report 2025