Check Point Research (CPR) discovered a “giant search engine phishing campaign” that resulted in the theft of at least half a million dollars in cryptocurrencies from users.

“Last weekend, Check Point Research found hundreds of incidents where crypto investors lost their money while trying to download and install well-known crypto wallets or change their currencies on conversion platforms like PancakeSwap or Uniswap,” he said.

“I just installed the Phantom wallet and, in a way, I ended up downloading the schema,” said a user on Reddit, stating: “I’m a bit of a layman [em relação] to wallets”.

The scam, found by CPR, also affected users of MetaMask and Phantom, two popular cryptocurrency wallets, as fraudsters mimicked legitimate sites almost perfectly.

“Last weekend, CPR researchers found several phishing sites that looked like the original sites as fraudsters copied their design,” he added.

Phantom and MetaMask

For the Phantom domain, users were finding phishing domains like “phanton.app” or “phantonn.app” instead of the legitimate “phantom.app”.

The same happened with the MetaMask fraudster tactics, in which domain names like “MètaMask” appeared via advertising campaigns on Google. In the case of MetaMask, scammers were also trying to steal private keys to access their wallets.

“What makes this phishing campaign unique is the fact that scammers are not sending phishing links via email, like traditional phishing scams,” explained CPR.

“Instead, they’re using Google advertising campaigns to make their phishing sites appear before the original site when someone searches for keywords.”

But what can users do to protect themselves? CPR provided preventative steps for crypto users.

Include searching for the first site that appears in your search and ensuring it’s not an advertisement. CPR suggests that users never provide their passwords.

Last but not least, “always check the URLs”, he recalls.

*Translated and edited by Daniela Pereira do Nascimento with permission from Decrypt.co.