Google ad impersonates Whales Market to push wallet drainer malware

A legitimate-looking Google Search advertisement for the crypto trading platform 'Whales Market' redirects visitors to a wallet-draining phishing site that steals all of your assets.

Whales Market is a decentralized OTC trading platform allowing users to exchange assets across blockchains.

Today, BleepingComputer was contacted about a phishing ad for the trading platform in Google search results.

A quick search for Whales Market in Google displayed a sponsored ad at the top of the search results, displaying what looks like legitimate URLs for the site. In BleepingComputer's tests, this ad was not shown on Bing.

The advertisement displays www.whales.market, which is not a valid hostname but is the correct domain of whales.market. Hovering over the ad also shows that the link leads to the correct URL https://whales.market, as shown below.

However, clicking on the link redirects users through a series of sites that ultimately land them at the phishing site https://app.whaless[.]market/. Note that this site's domain has an extra s in the word whales.

This phishing site replicates the legitimate website, including its trading platform. Once you connect your wallet, though, malicious scripts will drain it of all assets.

Before connecting your wallet to any Web3 website, checking the domain displayed in a browser's address bar is crucial to determine whether it is a legitimate site.

If you find yourself at a site that looks even slightly off, do not connect your wallet to it.

Using redirects to trick ad platforms

Threat actors have been abusing Google Ads for years to distribute malware or redirect users to phishing sites and tech support scams.

While most advertisements utilize domains similar to the impersonated platform, they usually contain typos or extra dashes that make them easier to spot. Other ads don't even try to look like the legitimate domain and simply hope someone will click on the ad by mistake.

The more concerning advertisements are those that display legitimate URLs for impersonated platforms, such as the one for Whales Market. Other brands impersonated by legitimate-looking Google ads include Keepass, Home Depot, Amazon, eBay, and even Google's own property, YouTube.

Threat actors can create these legitimate-looking ads by redirecting visitors to different sites based on their IP address or browser user agent.

When these malicious ads are created, Google's and Microsoft's search bots will visit the ad's click URL to verify the site. However, when the threat actor's site detects the visitor using a known Google or Microsoft user agent or IP address, it will redirect the request to the legitimate website being promoted.

As the ad platforms see the final landing page as a legitimate site, they allow the URL to be shown in the ad.

However, when a regular visitor clicks on these ads, they will instead be redirected to malicious sites pushing malware, phishing attacks, or scams.

This method has worked for years, but Google has not been able to prevent these types of advertisements from slipping through the cracks and being approved.

Google is not the only ones affected by malicious ads, with similar techniques used on the Microsoft and X ad platforms.

BleepingComputer contacted Google about the malicious Whales Market advertisement and how these ads can be proactively prevented in the future, but have not received a response at this time.

Update 4/19/24: Google told BleepingComputer that they took down the phishing ads and suspended the associated advertiser accounts.