A scarily realistic-looking Google Search YouTube advertisement is redirecting visitors to tech support scams pretending to be security alerts from Windows Defender.
Today, cybersecurity firm Malwarebytes disclosed that they discovered a “major” malvertising campaign abusing Google ads.
When searching for “YouTube” related keywords, the first advertisement shown in search results is titled, ‘YouTube – Best of YouTube Videos’ or ‘YouTube.com – YouTube – Best of YouTube videos for You.’
Looking at the advertisement, there is nothing that looks suspicious, as it contains the correct youtube.com URL and also shows additional advertising elements underneath the ad, as shown below.
However, clicking on the advertisement would not bring you to YouTube but rather to a tech support scam pretending to be a security alert from Windows Defender.
From tests conducted by BleepingComputer, the tech support scams are located on the URLs http://matkir[.]ml and http://159.223.199[.]181/ and warn visitors that ‘Windows was blocked due to questionable activity’ and that Windows Defender detected a Trojan Spyware named ‘Ads.financetrack(2).dll.’
For those using VPNs, the good news is that the scam sites will check if you are running a VPN and, if so, redirect users to the legitimate YouTube site.
When we called the number listed on the scam site, we were connected to an overseas call center where the “support technician” prompted us to download and install TeamViewer on our devices.
While we did not allow the installation to continue, they would likely have used TeamViewer to take control of our computer to “fix” the error.
In most cases, the scammers would lock your computer somehow or tell you that your computer is infected and that you need to purchase a support license. Either way leads to an expensive support contract that provides no benefit to the victim.
The malvertising campaign is still running on Google Search at this time as demonstrated by a tweet from Malwarebytes.
We detected a major malvertising campaign abusing Google Ads.
Stay tuned for our full report on this campaign. pic.twitter.com/VzAdtgVR3q
— Malwarebytes Threat Intelligence (@MBThreatIntel) July 20, 2022
What makes this malvertising campaign so scary is that it shows that threat actors can create ads that impersonate companies to distribute malware, phishing pages, or other types of attacks.
BleepingComputer has reached out to Google with questions about the advertisement but has not heard back at this time.