SEO professionals and digital marketers are now the latest targets of cybercriminals exploiting Google’s advertising ecosystem. Security researchers have uncovered a growing scam where malicious SEMrush Google ads trick users into handing over sensitive credentials, putting entire companies at risk.
SEMrush, a popular digital marketing platform, is widely used by SEO experts, e-commerce businesses, and content marketers for tasks like keyword research, PPC analysis, and social media management. But now, the brand’s trusted name is being hijacked in a new wave of phishing attacks.
Malwarebytes researcher Jerome Segura and SEO strategist Elie Berreby have linked this campaign to what they describe as a form of “cascading fraud.” This tactic, first spotted by Malwarebytes, involves cybercriminals hijacking Google Ads accounts to push fraudulent ads — often spawning a vicious cycle of compromised accounts fueling further scams.
In this latest twist, attackers are targeting SEO professionals and marketers by manipulating Google Ads results. They’re using SEO poisoning techniques to promote fake SEMrush ads whenever users search for the platform. The fraudulent ads lead victims to phishing websites that mimic SEMrush’s official page — right down to a near-identical domain name, except for a slight difference in the top-level domain.
Once on the fake site, users are prompted to log in using their Google credentials. Any information entered is instantly harvested by the attackers.
“Google Search plays a central role in the SEO and advertising world,” the researchers warned. “Anyone clicking on a malicious ad like this is at serious risk of having sensitive data stolen — with impacts that could ripple through their business.”
The danger runs deeper because many SEMrush accounts are tightly integrated with Google services. A successful phishing attempt doesn’t just compromise SEMrush access — it could open the door to company emails, analytics, advertising accounts, and other sensitive digital assets.
“This should serve as a wake-up call for marketers and businesses alike,” the researchers added. “Companies need to enforce strict guardrails around account access, especially for anyone managing digital marketing tools or Google Ads accounts.”
As phishing campaigns grow more sophisticated, cybersecurity experts are urging businesses to verify website URLs before entering login information and to educate teams about these increasingly deceptive ad-based attacks.
