Fraudsters Are Running a Malicious Advertising Campaign through Google Search

Malwarebytes, an information security company, has discovered a large malicious campaign that skillfully uses ads and Google search. A phishing campaign using Windows tech support is spreading through Google Ads.

What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar. The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).Malwarebytes experts write.

Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google Has Disabled Some of the Global Cache Servers in Russia.

When searched for “YouTube“, the first ad contains the correct youtube.com URL and shows additional ads below the link.

Malicious Campaign through Google Search

However, the link will take you to a Windows Defender tech support phishing page.

The scam sites are located at the URLs “http://matkir[.]ml” and “http://159.223.199[.]181/” and warns visitors that “Windows has been locked down due to questionable activity” as well as that “Windows Defender detected a Trojan spyware called Ads.financetrack(2).dll“.

Malicious Campaign through Google Search

If the user is using a VPN, the site will redirect them to the official YouTube website. When calling the specified number, the “support specialist” offered to download and install TeamViewer on the device. The scammer is likely using TeamViewer to take control of the victim’s computer in order to “fix” the bug.

In most cases, the scammer will block the device or report that the computer is infected and you need to purchase a license for technical support. Currently, the malicious campaign is still ongoing in Google search. Google has not commented on this situation.

The most popular search terms used for the campaign are:

  1. YouTube;
  2. Amazon;
  3. Facebook;
  4. Walmart.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *