Research identified a malvertising campaign targeting employees of Lowe’s. The malvertising campaign, leveraging Google ads, seeks to access current and former employee credentials. These Google ads appear when a Google Search is done for the Lowe’s internal HR portal, MyLowesLife. The URLs for these Google ads closely resemble the legitimate URL for the HR portal website and may deceive a target into clicking them. 

Once a target clicks on the ad, they will be taken to a phishing page. This page matches the structure of the legitimate MyLowesLife website. There, the target will be prompted to input their sales number and password. Then, targets are directed to input their security question. The information inputted into the phishing website is then transferred to the threat actor and the target is redirected to the legitimate website, where they will be prompted to login again. While this could raise suspicion for some users, many may believe the website simply glitched and will not give the occurrence a second thought. 

“The danger here lies in the fact that many individuals trust mainstream search engines as reliable, assuming that the first result, regardless of it being sponsored, is legitimate. This misplaced trust leads to users clicking on fraudulent sites, which is exactly what threat actors exploit,” says Max Gannon, Cyber Intelligence Team Manager at Cofense. “This malvertising campaign serves as an important reminder to stay vigilant and exercise caution when engaging in sponsored search results. It is important to always verify the authenticity of a website or enter the full domain into your browser before entering any credentials.”

This threat is not limited to Lowe's employees, according to the research, as threat actors are targeting other organizations with similar tactics.