A phishing operation that targets corporate banking accounts across the globe has been analyzed in a new report by CTM360. The campaign uses fake Google ads, advanced filtering techniques, to steal sensitive login credentials and bypass MFA.
Researchers uncovered more than 12,000 malicious redirector URLs spread across 35 unique potential phishing redirector templates. The infrastructure supports two distinct phishing techniques, both of which are difficult to detect and designed to evade automated scanning tools.
What makes this campaign stand out is its reach and the real-time control attackers maintain over the phishing sessions. Instead of using static, one-size-fits-all phishing pages, the threat actors interact with the victim in real time. They guide targets through each step of the banking login and transaction process, dynamically responding to security prompts and collecting every credential or code required to access accounts and initiate fund transfers.
How the scam works
The attackers start by buying Google ads linked to common search terms used by business customers looking for online banking portals. When someone clicks on one of these ads, they are redirected to a phishing page designed to mimic their bank’s login screen. This happens in two ways:
Domain redirection: The ad takes the user to a redirector domain that checks their device, location, and behavior. If they meet specific criteria, they are sent to the phishing page. If not, they are sent to a harmless site, such as a blog or small business page. This helps the attackers stay hidden from researchers and automated detection tools.
Internal redirection: Points to a single domain that hosts both the redirector and phishing content. Attackers use subdirectories or subdomains and apply similar filtering tactics to hide the phishing site from most visitors.
Once a target is identified and lands on the phishing page, the attack becomes interactive. The page sends victim behavior data to the threat actor’s command and control server. The attacker then mirrors the victim’s login attempt on the real banking site.
When the real site asks for additional verification, such as an OTP or security question, the phishing site immediately prompts the victim to enter the same information. This live relay lets attackers bypass MFA in real time. Some phishing kits even simulate bank messages to buy time, telling victims that the system is under maintenance or asking for additional logins from company administrators.
Once inside the bank account, attackers move quickly. They initiate transactions to money mule accounts, then convert the funds to cryptocurrency. In some cases, the victim is eventually redirected to their real bank website to avoid raising suspicion.
Why this campaign matters
This phishing campaign goes beyond typical credential-harvesting scams. It is selective, adaptive, and built for scale. The use of ad platforms like Google Ads gives attackers visibility and reach, while advanced filtering makes their infrastructure hard to track.
The fake banking portals are not just close imitations. They are controlled in real time, with command sequences that respond to each victim’s interaction. Commands like “OTP,” “QUESTION,” or “2ND_USER” prompt the user to hand over additional details, scan QR codes, or involve other employees, increasing the potential damage.
Researchers observed thousands of redirector domains, hundreds of unique phishing URLs, and targeting activity across North America, the Middle East, and Europe. Financial institutions, especially those offering commercial or treasury services, are the primary focus.
What companies should do
Researchers recommend that financial institutions and their business customers take proactive steps to reduce exposure to these types of phishing attacks.
For banks and financial service providers:
- Monitor your web traffic for unusual referrers or traffic from suspicious domains. Redirectors often spoof legitimate domains or appear in referral logs.
- Offer device binding features to customers. This allows transactions only from trusted devices.
- Educate clients about the risks of search engine manipulation and encourage direct navigation to online banking portals rather than using search engines.
For companies using corporate banking services:
- Avoid searching for your bank’s login page through Google. Instead, bookmark the legitimate URL or access it through a secure internal portal.
- Watch for unexpected prompts during login, especially those asking for multiple user logins or security questions out of the usual order.
- Train employees to spot the signs of phishing attempts and report suspicious login pages immediately.
- Consider implementing out-of-band authentication for sensitive transactions.
A persistent threat
This campaign reflects an evolution in phishing tactics, where attackers use automation, live control, and targeted filtering to improve their success rate and avoid detection. It also shows how platforms like Google Ads can be misused to lend credibility to malicious links.
Because the phishing content is only shown to carefully selected victims, much of the infrastructure remains undetected for long periods. This allows attackers to run high-value campaigns at scale while staying below the radar.
Phishing kits are growing more sophisticated and interactive, making spam filters and MFA no longer enough. Defense now requires tighter collaboration between businesses, financial institutions, and ad networks. It also requires vigilance, awareness, and a shift in user habits.
For a deeper look at the phishing infrastructure, attack flow, and technical indicators, download CTM360’s CyberHeist Phish report.
