Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hundreds of eBike Phishing Sites Abuse Google Ads to Push Scams

Hundreds of eBike Phishing Sites Abuse Google Ads to Push Scams

A large-scale campaign involving over 200 phishing and scam sites has tricked users into giving their personal data to fake investments schemes impersonating genuine brands.

The fraudulent operation relies upon the abuse of Google Ads and SEO to draw victims to hundreds of fake websites targeting the Indian audience.

The campaign was uncovered by Singaporean security firm CloudSEK, which has shared its report exclusively with Bleeping Computer. 

According to analysts Ankit Dobhal and Aryan Singh, the campaign has caused financial damages of up to $1,000,000, coming from tens of thousands of victims.

Also Read: Managing employee data under Singapore’s PDPA

Taking advantage of state incentives

The government in India has recently introduced favorable policies to boost the growth of the country’s EV (electric vehicle) sector.

These policies are forecasted to bring a growth of 90% (CAGR) for the Indian EV market before the end of the decade, making it a $200 billion sector.

Over 400 EV startups have already launched in the country, while existing automotive companies are also aggressively extending their operations in the emerging field.

Scammers have identified these conditions as a fertile ground for trickery, with an explosion of websites attempting to exploit this sudden boom spiking since August 2021 and remaining in large volumes today.

Moreover, CloudSEK reports having identified a shift in the focus of phishing actors during that period, abandoning banking and finance lures in favor of EV themes.

CloudSEK's detections showing a shift in focus
Detections showing a shift in cybercrime focus (CloudSEK)

The phishing operation

The threat actors ensure a steady influx of potential victims by abusing Google Ads, stuffing their phony sites with keywords, and mimicking well-known brands such as Revolt and Ather.

Examples of Google Ads abuse
Examples of Google Ads abuse (CloudSEK)

In many cases, the malicious actors simply copy the content, style, layout, and all images of the legitimate site and create clones.

In other cases, the scammers are building entirely fictional marketplaces using generic words like “ebike,” to supposedly offer products from multiple brands.

Also Read: Race against time: How CSA dissect cyberattacks using sophisticated gadgets

One of the fake marketplaces
One of the fake marketplaces (CloudSEK)

Visitors of these websites are instructed to enter their full names, contact numbers, email addresses, and physical address to register on the platforms.

Once they have completed the registration, the scammers ask them to pay the fee required to become an EV dealer or purchase a product on the site.

Unfortunately, the victims are also giving away their banking/payment details to the crooks at this step.

A domain-generation industry

Although the threat analysts discovered 200 active phishing domains, they warn that the swarm is constantly being refreshed, with new sites taking the place of those reported and taken down.

“They (scammers) register a large number of domains and keep some of them parked for use in the future,” explains the CloudSEK report.

“Hence, if active domains are reported or taken down, they can use the parked domains to continue running the campaign.”

Few of the hundreds domain registrations approved in December
Few of the 1,045 phishing domain registrations approved in December (CloudSEK)

In terms of the impact, the researchers observed between 100 and 200 users registering on these sites per day and estimated the total financial losses to be INR40-80 million ($500,000 – $1,000,000).

A list of scam 100 domains can be seen here, while the remainder 100 has not been disclosed at the request of the affected EV dealer, who is mimicked by all of them.

CloudSEK has told Bleeping Computer they have shared the entire phishing domains list with Google to help stop the Ads abuse.

How to spot fakes

The size of the operation and the scale of the Google Ads abuse is such that spotting the fraudulent sites may be challenging.

Consumers can ensure they’re on the official EV dealer portal by using India’s e-AMRIT database and confirming the relation between URLs and legitimately registered marketplaces.

As for affected businesses, reporting the phishing sites won’t cause much of a disruption for the threat actors. Instead, report them to your state government’s office Cyber Crime Cell to help identify and track down its operators.

Additionally, run awareness-raising campaigns to help your customers understand the risks of phishing, promote official domains, and highlight signs of fraud.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us