Select Page

Cyren Security Blog

Bitcoin Phishing Targets Users via Google AdWords

As we have pointed out several times, cybercrime is a business, and running a malware or phishing campaign does require some financial investment by the bad actors. Rental of botnets, purchase of exploit kits, and acquisition of compromised site lists are all expenses that need to be covered by the campaign.

A recent phishing attack detected by Cyren clearly shows this investment, as the attack vector is pay-per-click advertising via Google AdWords.

“blockchain” vs. “bioklchain”

The Ad showed up in response to searches for “blockchain” – a bitcoin related term. Close analysis of the advert shows that the link is actually to – but at a casual glance the link appears to lead to the legitimate “”. Interestingly, Bitcoin addresses are Base58Check encoded so they exclude potentially confusing characters such as 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols ‘+’ and ‘/,’”.


Google is aware that this sort of abuse of AdWords is possible and claim to have blocked 7,000 phishing sites that tried to use AdWords in 2015:

Fake Login Page

Unwary victims who clicked on the link were led to the phishing page with only one working link – the “login now” button – none of the other buttons are actually clickable.

AdWords Login

Clicking on “Login now” leads to a credential entry page that is quite similar to the “legacy login” of the real site. This is the page where the actual phishing happens.


A similar attack from 2014 also used AdWords and also targeted blockchain searchers – suggesting that the current attack was the work of the same group.

Learn more about how to get protected against phishing attacks.

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...