Convincing ‘YouTube’ Google ads lead to Windows support scams


A scarily realistic-looking Google Search YouTube advertisement is redirecting visitors to tech support scams pretending to be security alerts from Windows Defender.

Today, cybersecurity firm Malwarebytes disclosed that they discovered a “major” malvertising campaign abusing Google ads.

When searching for “YouTube” related keywords, the first advertisement shown in search results is titled, ‘YouTube – Best of YouTube Videos’ or ‘ – YouTube – Best of YouTube videos for You.’

Looking at the advertisement, there is nothing that looks suspicious, as it contains the correct URL and also shows additional advertising elements underneath the ad, as shown below.

Fake YouTube ad in Google search resultsFake YouTube ad in Google search results
Source: BleepingComputer

However, clicking on the advertisement would not bring you to YouTube but rather to a tech support scam pretending to be a security alert from Windows Defender.

From tests conducted by BleepingComputer, the tech support scams are located on the URLs http://matkir[.]ml and http://159.223.199[.]181/ and warn visitors that ‘Windows was blocked due to questionable activity’ and that Windows Defender detected a Trojan Spyware named ‘Ads.financetrack(2).dll.’

Tech Support Scam shown by Google ad for YoutubeTech Support Scam shown by Google ad for Youtube
Source: BleepingComputer

For those using VPNs, the good news is that the scam sites will check if you are running a VPN and, if so, redirect users to the legitimate YouTube site.

When we called the number listed on the scam site, we were connected to an overseas call center where the “support technician” prompted us to download and install TeamViewer on our devices.

While we did not allow the installation to continue, they would likely have used TeamViewer to take control of our computer to “fix” the error.

In most cases, the scammers would lock your computer somehow or tell you that your computer is infected and that you need to purchase a support license. Either way leads to an expensive support contract that provides no benefit to the victim.

The malvertising campaign is still running on Google Search at this time as demonstrated by a tweet from Malwarebytes.

What makes this malvertising campaign so scary is that it shows that threat actors can create ads that impersonate companies to distribute malware, phishing pages, or other types of attacks.

BleepingComputer has reached out to Google with questions about the advertisement but has not heard back at this time.


  • fromFirefoxToVivaldi Photo fromFirefoxToVivaldi – 3 days ago

    Is Google somehow allowing the ad buyers to spoof the url or is this another punycode fail?

  • U_Swimf Photo U_Swimf – 19 hours ago

    They’re taking advantage of the system that’s in place. This is exactly why i don’t click the first link to any website, especially if it’s marked as AD, as if it makes anything clearer to a user on the difference between link 1 and 2 . Shouldn’t even need to put an ad for YouTube or any 2000 tld that’s being searched for by name. Just redirect ppl . It’s done all the time anyway.

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 20,963 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,736 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 301,906 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads


Related posts

New PowerExchange malware backdoors Microsoft Exchange servers

Sarah Henriquez

FIN7 hackers create auto-attack platform to breach Exchange servers

Sarah Henriquez

Zyxel shares tips on protecting firewalls from ongoing attacks

Sarah Henriquez

Leave a Comment