Malvertising Alert: Phishing Campaign Targets Onfido Users via Google Ads

In April 2025, cybersecurity firm Push Security uncovered a sophisticated malvertising campaign targeting Onfido uses. Onfido, is a digital identity verification platform widely used in fintech, HR, and other regulated industries. This campaign leveraged Google Ads and the Evilginx phishing tool. Evilginx is a publicly available phishing solution used to deceive users into revealing sensitive credentials through phishing attacks.

The Attack Unveiled

The attackers purchased Google Ads that appeared above legitimate Onfido search results. These ads directed users to a counterfeit login page hosted on a deceptive domain: dashboard.onfido.us.com. While resembling a legitimate U.S. government domain, .us.com is a commercial domain, making it easier for malicious actors to exploit.

Once users clicked the ad, they were taken to a cloned Onfido login page. This page was generated using Evilginx, a man-in-the-middle phishing tool that proxies legitimate login pages to capture session tokens and credentials. Notably, the phishing page was configured to display correctly only when accessed via the malicious Google Ad. Direct visits to the domain resulted in a redirection to a 404 page on the legitimate Onfido site, a tactic designed to evade detection by security scanners.

Implications and Risks

This malvertisement phishing campaign demonstrates the increasing sophistication  being used in phishing attacks.  Specifically, hackers are seeking:  

• Diversification of Targets: Attackers are moving beyond traditional targets like Microsoft and Google, focusing on platforms like Onfido that manage sensitive authentication data.  Similar targets can be expected for competitors such as ID Now, or Ping Identity.
• Bypassing Traditional Defenses: By exploiting Google Ads, attackers circumvent email-based security measures, reaching users through trusted channels.
• Advanced Evasion Techniques: The use of Evilginx and conditional page rendering demonstrates a high level of sophistication aimed at avoiding detection.

Protective Measures

To mitigate such threats:

• Educate and Test Employees: Regular training and implementing positive phishing simulations that help staff recognize and avoid phishing attacks. Alert them to emerging risks tied to web browsing search results and sponsored advertisements.
• Cautious Browsing: Be wary of sponsored links in search results. Prioritize direct navigation to known websites.
• Verify URLs: Ensure the domain matches the official website before entering credentials.
• Implement Multi-Factor Authentication (MFA): MFA adds an additional layer of security, making unauthorized access more difficult.

As cyber threats evolve, staying informed is very important. Organizations must proactively adopt early warning strategies to alert staff to emerging security threats.  Subscribe to CyberHoot’s newsletters here to stay ahead of these threats.