Malwarebytes, an information security company, has discovered a large malicious campaign that skillfully uses ads and Google search. A phishing campaign using Windows tech support is spreading through Google Ads.
Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google Has Disabled Some of the Global Cache Servers in Russia.
When searched for “YouTube“, the first ad contains the correct youtube.com URL and shows additional ads below the link.
However, the link will take you to a Windows Defender tech support phishing page.
The scam sites are located at the URLs “http://matkir[.]ml” and “http://159.223.199[.]181/” and warns visitors that “Windows has been locked down due to questionable activity” as well as that “Windows Defender detected a Trojan spyware called Ads.financetrack(2).dll“.
If the user is using a VPN, the site will redirect them to the official YouTube website. When calling the specified number, the “support specialist” offered to download and install TeamViewer on the device. The scammer is likely using TeamViewer to take control of the victim’s computer in order to “fix” the bug.
In most cases, the scammer will block the device or report that the computer is infected and you need to purchase a license for technical support. Currently, the malicious campaign is still ongoing in Google search. Google has not commented on this situation.
The most popular search terms used for the campaign are: