In mid-August, we recognized a malvertising marketing campaign focusing on Lowes staff through Google adverts. Like many giant firms, Lowe’s has their very own employe portal referred to as MyLowesLife, for all issues associated to schedule, pay stubs, or advantages.
Lowe’s staff who looked for “myloweslife” throughout that point, could have seen one or a number of fraudulent adverts. The menace actor, who doesn’t strictly restrict themselves to Lowe’s but additionally targets different establishments, goals to realize entry to the login credentials of present and former staff.
My Lowe’s Life adverts
Combining adverts with a phishing web page is a confirmed recipe for fulfillment. Certainly, unsuspecting customers typically depend on Google Search to take them to the location they’re searching for, moderately than manually getting into its full URL within the browser’s handle bar. It’s considerably suspicious to see adverts for an inner HR portal, however then once more it might be straightforward to miss that oddity.
We discovered two completely different advertiser accounts impersonating MyLowesLife, and in a single occasion, we even noticed 3 malicious adverts from each accounts one after the opposite. The URL listed for every advert is completely different, and doesn’t match the reliable one (myloweslife.com), a well known strategy of lookalikes criminals typically make use of.
Phishing web site constructed with AI
The menace actor registered a number of equally trying domains in an effort to trick their victims:
myloveslife[.]internet
mylifelowes[.]org
mylifelowes[.]internet
myliveloves[.]internet
What’s fascinating is how the house web page for every of these isn’t what you’d anticipate. In actual fact, what we see is a generic ‘retail retailer’ template which seems to have been constructed utilizing AI.
There’s a easy cause for this: if anybody was to research these doubtlessly fraudulent web sites, they might not see something malicious. In consequence, will probably be troublesome to persuade a site registrar or internet hosting supplier to take any motion resembling suspending the location.
Phishing web page
When victims click on on the Google advert, they’re taken on to the phishing web page, contained inside a listing named ‘wamapps’, which curiously matches the construction of the actual Mylowe’s Life web site:
https://lius.myloweslife.com/wamapps/wamlogin
This a precise reproduction of the actual Lowe’s portal that prompts customers for his or her Gross sales Quantity and Password:
Trying on the web page’s supply code, we will see how these two fields are being despatched again to the menace actor utilizing a POST request through xxx.php, the phishing equipment. After accumulating this information, a second web page asks customers for his or her safety query. That is presumably a function utilized by Lowe’s to safe accounts in the event that they detect uncommon login exercise:
Lastly, after offering these particulars, victims are redirected to the actual MyLowesLife web site the place they are going to be requested for his or her login particulars once more. Whereas that would elevate suspicion, it’s attainable many customers will suppose it’s merely a glitch with the system and gained’t look again once more.
It’s unclear what the menace actor does with the stolen credentials, however doubtless they’re a dealer reselling them to different criminals.
Mitigations
Model impersonation through Google adverts is a very fashionable method leveraged by menace actors of all type. They know folks will open up their default browser, do a fast search and that’s precisely the place they will goal them.
To keep away from most of the phishing campaigns that abuse Google adverts, we strongly suggest towards clicking on sponsored outcomes. You might be higher off scrolling down additional and visiting the official web sites immediately.
For an internet portal you frequently go to (financial institution, grocery retailer, and so forth.) it’s a good suggestion to bookmark the web site into your browser’s favorites: it’s faster and safer to go to a web site that you simply belief in that method.
We reported these malicious adverts to Google and to our information this advert marketing campaign is not operating. Malwarebytes clients had been protected on day 1 through each the Malwarebytes Browser Guard and Malwarebytes Premium Safety. If you happen to suspect you’ve got been a sufferer of id theft, be happy to take a look at Malwarebytes Identification Theft Safety (additionally accessible to clients through our premium safety merchandise).
