Malvertising Campaign Builds a Phish for Lowes Employees

Retail employees are being duped into divulging their credentials by typosquatting malvertisements.

Lowes employees are being phished for their credentials via sponsored Google ads.
Midway last month, Jérôme Segura, senior director of research at Malwarebytes, came across a small group of
malicious websites mimicking MyLowesLife
, the hundred-plus-billion-dollar companys employee portal for all things scheduling, pay stubs, etc. The typosquatting domains mimicked the exact structure of the real MyLowesLife, and were sponsored aggressively in Google searches. In one case, when researchers searched for myloweslife, the top three results were sponsored ads associated with the malicious campaign.
Lowes employees who followed these links would find few reasons to be suspicious of what they found. The resultant landing page mimicked the real Lowes employee portal to the tee, with fields for users to submit their sales (account) numbers and passwords. Those who hit Login were then asked for their Answer to you
[sic]
security question. All three items of data would then be forwarded to an attacker-controlled phishing kit.
Stolen credentials give a threat actor access to very valuable information that could be used for identity theft, Segura warns. Impacted Lowes employees could be defrauded and suffer monetary losses. In a successful run, several dozen employee accounts could translate into theft related to their benefits or banking details.
Notably, the main homepages for these copycat sites — myloveslife[.]net, mylifelowes[.]org, mylifelowes[.]net, and myliveloves[.]net — were populated by entirely generic, apparently AI-generated templates for retail websites, having nothing to do with Lowes whatsoever. As Segura explains, this is entirely strategic. Besides saving the threat actor time and effort, having an innocuous homepage could throw off investigators, and make the case for taking down these sites with their domain registrar more difficult.
Its often just quicker and easier to reach the website youre looking for through a quick search, instead of typing a full domain into your browser.
Theres also a trust factor built into mainstream search engines, whose algorithms are built to promote safe, reliable results towards the top of any given search. Sponsored results dont earn their real estate on merit, but casual Internet surfers might unthinkingly afford them the same level of trust nonetheless.
These reasons, among others, help explain the general popularity of malvertising as a means of stealing credentials and
infecting targeted demographics with malware
, and why
even technically savvy Internet users
have been falling victim to recent campaigns. In only the last few months, for example, Malwarebytes has tracked different scams targeting IT staff, tech-forward early adopters of the Arc browser, and more.
The case involving Lowes employees is unique since, unlike IT tools and new browsers, it doesnt make logical sense to advertise an internal company portal to the public. In theory, this should make these fake ads easier to spot, both for Web surfers and search providers.
Google and other search engines could prevent such phishing campaigns by monitoring benefit portals, Single Sign On (SSO) pages, etc. that an advertiser is purchasing ad space for. In fact, we use the same technique to hunt and find those malicious ads, so I believe it could be used to proactively ban accounts before they have a chance to lure in victims, Segura thinks.

Last News
▸ Ruby On Rails Under Attack ◂ Discovered: 26/12/2024 Category: security	▸ Recap of Recent Data Breaches ◂ Discovered: 26/12/2024 Category: security	▸ Stopping cybercrime entails stopping the flow of easy money. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Malvertising Campaign Builds a Phish for Lowes Employees