Lowe’s home warehouse employees targeted in Google ad phish


A new phishing campaign targeting Lowe’s workers with fake Google ads – that would show up when doing a Google search for the company’s employee portal – has been discovered by researchers at Malwarebytes Labs.

The deceptive malvertising campaign, uncovered in mid-August, attempted to trick Lowe’s workers searching for their employee portal – MyLowesLife – via the Google search engine.

Malwarebytes said, the phishing scheme involved creating ads that directed users to a fake MyLowesLife login page, which was designed to closely resemble the legitimate portal.

ADVERTISEMENT

Once the employee clicks on the fraudulent website link address in the Google ad, they are taken to a legitimate-looking MyLowesLife login page, and unsuspectingly, type in their login information for the hackers to steal.

The MyLowesLife employee portal provides access to schedules, pay stubs, and benefits. According to the Lowe’s website, the US home improvement warehouse chain currently employs more than 280,000 workers.

Both current and former Lowe’s employees were said to have fallen victim to the scam. Malwarebytes also noted that the criminals have gone after other companies as well, although the research did not mention any specific names.

The cyber scammers' tactic relies on the tendency of users to trust Google search results and click on the top links, rather than manually entering a URL, the researchers said.

Max Gannon, Cyber Intelligence Team Manager at Cofense said the danger is that many users "trust mainstream search engines as reliable," and often “assume that the first result, regardless of it being sponsored, is legitimate.”

“This misplaced trust leads to users clicking on fraudulent sites, which is exactly what threat actors exploit,” Gannon explained.

ADVERTISEMENT

AI used to create fake Google ads

Two different advertiser accounts were identified as impersonating MyLowesLife, and in some cases, multiple fraudulent ads appeared consecutively, the research found.

The URLs associated with the ads were deliberately designed to resemble the legitimate myloweslife (dot) com – a common tactic used by cybercriminals.

The phishing sites had been constructed using AI-generated templates that presented a generic Lowe’s retail store homepage, rather than a replica of the MyLowesLife portal.

Researchers say this was likely done to evade detection, as such generic templates are less likely to raise red flags with domain registrars or hosting providers.

Lowe's employee phish Malwarebytes
Exact replica of the real Lowe’s portal that prompts users for their Sales Number and Password. Images by Malwarebytes.

Upon clicking the fraudulent Google ads, users were directed to a fake login page within a directory named ‘wamapps,’ which mimicked the structure of the real MyLowesLife website.

The fake site prompted users to enter their Sales Number and Password. Once entered, this information was sent back to the attackers through a POST request.

Subsequently, users were asked to answer a security question, a measure used by Lowe’s to secure accounts in cases of unusual activity.

After providing these details, victims were redirected to the legitimate MyLowesLife website and asked to log in again. Malwarebytes said, that while this might have raised suspicions for some users, more than likely most would have assumed it was simply a system glitch.

ADVERTISEMENT

Users urged to stay vigilant

Malwarebytes believes the stolen credentials are most likely being sold on the dark web to other cybercriminals.

The researchers warn that when using search engines to find employee portals – no matter what the company – users need to be careful not to click on sponsored search results. Instead, they say individuals should scroll down to find the official website or use bookmarks for sites they frequently visit.

Gannon agrees the Lowe’s campaign serves as “an important reminder to stay vigilant and exercise caution when engaging in sponsored search results.”

“It is important to always verify the authenticity of a website or enter the full domain into your browser before entering any credentials,” Gannon said.

Malwarebytes said they reported the malicious ads to Google, who then removed them from the their search results.

As of July, 2024, Lowe’s has more than 1800 stores across the US, located in all 50 states, online data site Hasdata reports.

ADVERTISEMENT