A scarily realistic-looking Google Search YouTube advertisement is redirecting visitors to tech support scams pretending to be security alerts from Windows Defender.
Today, cybersecurity firm Malwarebytes disclosed that they discovered a "major" malvertising campaign abusing Google ads.
When searching for "YouTube" related keywords, the first advertisement shown in search results is titled, 'YouTube - Best of YouTube Videos' or 'YouTube.com - YouTube - Best of YouTube videos for You.'
Looking at the advertisement, there is nothing that looks suspicious, as it contains the correct youtube.com URL and also shows additional advertising elements underneath the ad, as shown below.
However, clicking on the advertisement would not bring you to YouTube but rather to a tech support scam pretending to be a security alert from Windows Defender.
From tests conducted by BleepingComputer, the tech support scams are located on the URLs http://matkir[.]ml and http://159.223.199[.]181/ and warn visitors that 'Windows was blocked due to questionable activity' and that Windows Defender detected a Trojan Spyware named 'Ads.financetrack(2).dll.'
For those using VPNs, the good news is that the scam sites will check if you are running a VPN and, if so, redirect users to the legitimate YouTube site.
When we called the number listed on the scam site, we were connected to an overseas call center where the "support technician" prompted us to download and install TeamViewer on our devices.
While we did not allow the installation to continue, they would likely have used TeamViewer to take control of our computer to "fix" the error.
In most cases, the scammers would lock your computer somehow or tell you that your computer is infected and that you need to purchase a support license. Either way leads to an expensive support contract that provides no benefit to the victim.
The malvertising campaign is still running on Google Search at this time as demonstrated by a tweet from Malwarebytes.
We detected a major malvertising campaign abusing Google Ads.
— Malwarebytes Threat Intelligence (@MBThreatIntel) July 20, 2022
Stay tuned for our full report on this campaign. pic.twitter.com/VzAdtgVR3q
What makes this malvertising campaign so scary is that it shows that threat actors can create ads that impersonate companies to distribute malware, phishing pages, or other types of attacks.
BleepingComputer has reached out to Google with questions about the advertisement but has not heard back at this time.
Comments
fromFirefoxToVivaldi - 1 year ago
Is Google somehow allowing the ad buyers to spoof the url or is this another punycode fail?
U_Swimf - 1 year ago
They're taking advantage of the system that's in place. This is exactly why i don't click the first link to any website, especially if it's marked as AD, as if it makes anything clearer to a user on the difference between link 1 and 2 . Shouldn't even need to put an ad for YouTube or any 2000 tld that's being searched for by name. Just redirect ppl . It's done all the time anyway.
atbattson - 9 months ago
Month and a half later and its still happening. Its sad that it can happen at all but even more of a laughing stock as its spoofing googles own site. In the era of their "amazing" ai it makes me chuckle that they cannot even get this fixed.