Source: Betty LaRue via Alamy Stock Photo

Lowe's employees are being phished for their credentials via sponsored Google ads.

Midway last month, Jérôme Segura, senior director of research at Malwarebytes, came across a small group of malicious websites mimicking MyLowesLife, the hundred-plus-billion-dollar company's employee portal for all things scheduling, pay stubs, etc. The typosquatting domains mimicked the exact structure of the real MyLowesLife, and were sponsored aggressively in Google searches. In one case, when researchers searched for "myloweslife," the top three results were sponsored ads associated with the malicious campaign.

Lowe's employees who followed these links would find few reasons to be suspicious of what they found. The resultant landing page mimicked the real Lowe's employee portal to the tee, with fields for users to submit their sales (account) numbers and passwords. Those who hit 'Login' were then asked for their "Answer to you[sic] security question." All three items of data would then be forwarded to an attacker-controlled phishing kit.

"Stolen credentials give a threat actor access to very valuable information that could be used for identity theft," Segura warns. "Impacted Lowe's employees could be defrauded and suffer monetary losses. In a successful run, several dozen employee accounts could translate into theft related to their benefits or banking details."

Notably, the main homepages for these copycat sites — myloveslife[.]net, mylifelowes[.]org, mylifelowes[.]net, and myliveloves[.]net — were populated by entirely generic, apparently AI-generated templates for retail websites, having nothing to do with Lowe's whatsoever. As Segura explains, this is entirely strategic. Besides saving the threat actor time and effort, having an innocuous homepage could throw off investigators, and make the case for taking down these sites with their domain registrar more difficult.

Why Malvertisements Work

 It's often just quicker and easier to reach the website you're looking for through a quick search, instead of typing a full domain into your browser.

There's also a trust factor built into mainstream search engines, whose algorithms are built to promote safe, reliable results towards the top of any given search. Sponsored results don't earn their real estate on merit, but casual Internet surfers might unthinkingly afford them the same level of trust nonetheless.

These reasons, among others, help explain the general popularity of malvertising as a means of stealing credentials and infecting targeted demographics with malware, and why even technically savvy Internet users have been falling victim to recent campaigns. In only the last few months, for example, Malwarebytes has tracked different scams targeting IT staff, tech-forward early adopters of the Arc browser, and more.

The case involving Lowe's employees is unique since, unlike IT tools and new browsers, it doesn't make logical sense to advertise an internal company portal to the public. In theory, this should make these fake ads easier to spot, both for Web surfers and search providers.

"Google and other search engines could prevent such phishing campaigns by monitoring benefit portals, Single Sign On (SSO) pages, etc. that an 'advertiser' is purchasing ad space for. In fact, we use the same technique to hunt and find those malicious ads, so I believe it could be used to proactively ban accounts before they have a chance to lure in victims," Segura thinks.