Updated November 6 with news of a dangerous new search engine attack.

With “tens of millions of dollars” stolen from “hundreds of thousands” of Internet users, a serious warning has just been issued to the billions of users of the most popular web browsers. Google has removed well-known websites from search results, but that won’t eradicate links elsewhere, on social media and messaging platforms. It is essential that all users know what to look for. In very simple terms, you should not use these websites.

Satori of human security researchers warn that threat actors “drove traffic to fake online stores by infecting legitimate websites with a malicious payload.” This payload creates fake product listings and adds metadata that places these fake listings high in search engine rankings, making them an attractive offer for an unsuspecting consumer. When a consumer clicks on the article link, they are redirected to another website, this one controlled by the malicious actor.

ForbesGoogle update error: Do not change this new Play Store settingBy Zak Doffman

On the unsafe website itself, users would be directed to a legitimate payment processing platform to purchase the product of their choice. Of course, this product would never arrive, but the money would certainly be taken. Although many consumers can be protected from the ultimate financial cost through credit card chargebacks, this is never guaranteed until a claim is investigated.

In the most recently disclosed campaign, malicious actors “infected more than 1,000 websites to create and promote fake product listings and built 121 fake online stores to deceive consumers… estimating losses in the tens of millions dollars over the last five years, including hundreds of thousands. victimized consumers.

So, what can you look for to avoid seeing your money disappear into a black hole:

1. Product deals that seem too good to be true usually are. If a deal is offered below market rates, do not proceed unless you can verify the site.
2. Check website names for consistency with the names that appear in pop-ups, payment processing windows, and the URL. This specific campaign infected legitimate websites then redirected elsewhere
3. Does the ordering process seem completely legitimate? Does it contain autofill address details, for example, does it check the quality of the data you enter
4. If it’s a website you’ve never used before, check the reviews carefully. Remember that they may be fake and look for known reviews on the site.
5. Can you find the product on a well-known site, even if it is more expensive

This campaign, dubbed “phish and ships” by the research team, included a number of sophisticated touches: metadata to appear at the top of search results, although Google removed those known to be fraudulent. By infecting legitimate websites, in this case users would initially be lulled into a false sense of security, but being redirected to a fake online store is where alarm bells should start ringing.

A list of all known fake websites can be found heresome of whom remain active despite known treats according to this latest report.

ForbesWhy you should buy a new Microsoft Windows PC in 2025By Zak Doffman

“This operation highlights the relationship between the digital advertising ecosystem and fraud,” says Satori. “Without the fake listings of organic and sponsored products staged by the threat actors, there would have been no traffic to the fake online stores and therefore no fraud. One of the key takeaways from Phish ‘n’ Ships is that digital advertising can be dangerous, and consumers should exercise caution when taking the next step in a digital journey.

Users of all major browsers fall victim to such attacks. The research team warns that “Phish ‘n’ Ships remains an active threat,” even though Google’s removal has “partially disrupted” its threat. “The threat actors are unlikely to stop their work without trying to find a new way to perpetuate their fraud. »

When it comes to questionable search results that spawn dangerous phishing attacks, another nasty new twist has just been revealed. Malwarebytes warns that “a new wave of phishing aimed at obtaining banking credentials (targets) consumers through Microsoft’s search engine. A Bing search query for “Keybank Connection” currently returns malicious links on the first page, and sometimes in the first search result.

Microsoft’s search share pales in comparison to Google’s, although, just as with its ongoing campaign to push Chrome users to Edge, it is now reaching into its pockets to do the same with Bing, with a new gift of 1 million dollars.

“While Microsoft’s Bing only has about 4% of the search engine market share,” Malwarebytes explains, “scammers are attracted to it as an alternative to Google. A particularly interesting detail is that a phishing site created just two weeks ago is already indexed and displayed before the official site.

This dangerous new campaign successfully inflated the search signals of new malicious sites, tricking users into clicking on top search results for common keywords. “A malicious link appears as the first result and claims to be the Keybank login page…Attackers are abusing Bing’s search algorithms.”

Users clicking on links are redirected to malicious websites designed for the campaign, which uses the lure’s official branding to further deceive users. The intention is simply to harvest identities, logins and passwords. Attackers have even found ways to collect MFA codes to facilitate logins.

Much like the “Phish and Ships” attack, this socially engineered manipulation of search results, combined with behind-the-scenes trickery to shift traffic from legitimate to malicious sites, is clearly effective, earning millions for the attackers.

ForbesMicrosoft Update Decision: 50 Million Windows Users Need to Act NowBy Zak Doffman

Of concern to users will be the soon-to-be-anticipated rise of AI-based search, which not only poses a threat to established search engines, but also to users who lack the long-term defense mechanisms and “spider senses” to see attacks coming.

Ironically, we have also just seen a phishing attack claiming to come from OpenAI itselfwhich hammers home this point about the best of all worlds.

Buyers beware…