QuantNest Radar
QuantNest
Radar
Campaign

Phishing Campaign Abuses Fake Google Security Page to Deploy Browser-Spying Malware

Quantnest Radar team | Mar 22, 2026 | 3 min read
Phishing Campaign Abuses Fake Google Security Page to Deploy Browser-Spying Malware

Overview

Security researchers at Malwarebytes have uncovered an active phishing campaign that uses a fraudulent domain — google-prism[.]com — to impersonate legitimate Google security verification pages. Once a victim interacts with the fake page, malware is silently deployed that transforms the victim's browser into a covert spying instrument.

How the Attack Works

The attack chain begins when a user is directed to the malicious domain, which is designed to closely mimic the look and feel of an authentic Google security check interface. The social engineering lure creates urgency by prompting users to complete a supposed security verification step.

  • The fake page mimics Google's visual identity to establish trust.
  • Upon interaction, malware is installed within the browser environment.
  • The malware is capable of intercepting and exfiltrating two-factor authentication (2FA) codes.
  • It also monitors and steals clipboard data, which may include passwords, crypto wallet addresses, or other sensitive information copied by the user.

Key Threat Indicators

  • Malicious Domain: google-prism[.]com
  • Attack Vector: Phishing / Social Engineering
  • Payload Capabilities: 2FA code theft, clipboard data harvesting
  • Target: General browser users
  • Researcher Attribution: Malwarebytes

Why This Campaign Is Dangerous

The ability to steal 2FA codes is particularly alarming, as it undermines one of the most widely recommended account security measures. Combined with clipboard monitoring, threat actors can capture a wide range of sensitive data — including one-time passwords, private keys, and credentials — without requiring deep system access.

The use of a domain closely resembling a trusted brand like Google significantly increases the likelihood of user deception, especially for non-technical audiences who may not scrutinize URLs carefully.

Recommendations

  • Verify URLs carefully before entering any credentials or completing security prompts — legitimate Google pages will always use google.com subdomains.
  • Use browser-based security extensions or endpoint protection tools that flag known malicious domains.
  • Be cautious of any unsolicited security check pages, especially those creating urgency.
  • Avoid copying sensitive data (passwords, seed phrases) to clipboard on untrusted devices or sessions.
  • Keep browsers and security software updated to benefit from the latest threat intelligence.

Source

This intelligence was reported by Fox News, based on findings from Malwarebytes researchers.