A scarily realistic-looking Google Search YouTube advertisement is redirecting visitors to tech support scams pretending to be security alerts from Windows Defender.
Today, cybersecurity firm Malwarebytes disclosed that they discovered a “major” malvertising campaign abusing Google ads.
When searching for “YouTube” related keywords, the first advertisement shown in search results is titled, ‘YouTube – Best of YouTube Videos’ or ‘YouTube.com – YouTube – Best of YouTube videos for You.’
Looking at the advertisement, there is nothing that looks suspicious, as it contains the correct youtube.com URL and also shows additional advertising elements underneath the ad, as shown below.
Fake YouTube ad in Google search results
Source: BleepingComputer
However, clicking on the advertisement would not bring you to YouTube but rather to a tech support scam pretending to be a security alert from Windows Defender.
From tests conducted by BleepingComputer, the tech support scams are located on the URLs http://matkir[.]ml and http://159.223.199[.]181/ and warn visitors that ‘Windows was blocked due to questionable activity’ and that Windows Defender detected a Trojan Spyware named ‘Ads.financetrack(2).dll.’
Tech Support Scam shown by Google ad for Youtube
Source: BleepingComputer
For those using VPNs, the good news is that the scam sites will check if you are running a VPN and, if so, redirect users to the legitimate YouTube site.
When we called the number listed on the scam site, we were connected to an overseas call center where the “support technician” prompted us to download and install TeamViewer on our devices.
While we did not allow the installation to continue, they would likely have used TeamViewer to take control of our computer to “fix” the error.
In most cases, the scammers would lock your computer somehow or tell you that your computer is infected and that you need to purchase a support license. Either way leads to an expensive support contract that provides no benefit to the victim.
The malvertising campaign is still running on Google Search at this time as demonstrated by a tweet from Malwarebytes.
We detected a major malvertising campaign abusing Google Ads.
Stay tuned for our full report on this campaign. pic.twitter.com/VzAdtgVR3q
— Malwarebytes Threat Intelligence (@MBThreatIntel) July 20, 2022
What makes this malvertising campaign so scary is that it shows that threat actors can create ads that impersonate companies to distribute malware, phishing pages, or other types of attacks.
BleepingComputer has reached out to Google with questions about the advertisement but has not heard back at this time.
Comments
-
fromFirefoxToVivaldi – 3 days ago
Is Google somehow allowing the ad buyers to spoof the url or is this another punycode fail?
-
U_Swimf – 19 hours ago
They’re taking advantage of the system that’s in place. This is exactly why i don’t click the first link to any website, especially if it’s marked as AD, as if it makes anything clearer to a user on the difference between link 1 and 2 . Shouldn’t even need to put an ad for YouTube or any 2000 tld that’s being searched for by name. Just redirect ppl . It’s done all the time anyway.
-
Everything Desktop Search
Version: 1.4.1.1017 20,963 Downloads
-
Zemana AntiLogger Free
Version: 1.8.2.320 50,736 Downloads
-
Zemana AntiMalware
Version: NA 301,906 Downloads
-
Windows Repair (All In One)
Version: 4.13.0 2M+ Downloads
-
AdwCleaner
Version: 8.3.2.0 56M+ Downloads
