Cyber ​​security experts Malwarebytes discovered a new phishing campaign targeting American citizens, during which the attackers placed in the top of search results Google fake US Postal Service page (USPS). The purpose of the attack was to obtain the victims’ credentials for logging into online banking services, as well as complete personal and financial information.

The attack begins with the search query “USPS Tracking”, which the user himself enters into search engine No. 1 in order to get to the mail tracking page. The first thing a potential victim sees in the search results is a USPS advertisement paid for by the attackers. The first thing that catches the eye is a completely legitimate US Postal Service URL, which is 100% consistent with the real one.

Only by going to the ad page, the researchers were able to detect a catch, because a certain Anastasia Ivashchenko from Ukraine was indicated as an advertiser, who, of course, has nothing to do with the USPS.

Malicious ad with official URL

This fake advertiser reportedly had two different ad campaigns, one of which appeared to target mobile users and the other targeted desktop users.

The first thing any savvy Internet user would ask is a logical question: how could attackers ever use the official US Postal Service URL but redirect victims to their own phishing website?

As it turned out, the address displayed in the ad is a clever ploy that exploits the flaws of the platform. The address only looks like a legitimate one, but in fact it is not.

When the ad is clicked, the first URL returned is “googleadservices[.]com” which contains various metrics related to the ad. It is followed directly by the advertiser’s own URL, and only then by the phishing site of the attackers. Even the most experienced users will not see the catch in such a strategy, and this is what makes this phishing campaign so dangerous.

The path taken by the browser to the phishing page

Victims who do click on the ad are taken to a scam website that asks them to enter a package tracking number. However, after submitting this information, users receive an error message: “Your package could not be delivered due to incomplete information in the delivery address.”

Fake bug on a fake website

Users are then prompted to “update” their residential address and bank card details. At this stage, the hackers obtain the full physical address of the victim, which is valuable information on the black market. And to “re-link” the card, you also need to specify all its data, including the full number, name of the holder, expiration date and CVC code, and also pay a commission of 35 cents for linking.

After providing all the data, the scammers ask users to enter their credentials from a financial institution, ostensibly to complete the payment. The phishing page is dynamic and generates a template based on the data previously entered by the victim, so it may also not cause questions for many potential victims.

Fake authorization window in the banking institution of the victim

As a result, users who fell for the hackers’ bait provide hackers with full personal and financial information about themselves, seasoning everything with credentials from their bank account. For such hardened cybercriminals on the darknet are ready to pay a considerable amount.

This sophisticated phishing scheme is a reminder that malicious ads in search engine results remain an ongoing problem, affecting consumers and entire businesses that trust well-known brands.

When using tools such as Google search, you should be extra vigilant and immediately scroll through advertisements. And some AdBlocker, for example, will help you solve the problem with malicious ads quickly and efficiently.