{"id":9560,"date":"2022-07-22T10:08:22","date_gmt":"2022-07-22T10:08:22","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=9560"},"modified":"2022-07-22T10:08:22","modified_gmt":"2022-07-22T10:08:22","slug":"malicious-campaign-through-google-search","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/malicious-campaign-through-google-search\/","title":{"rendered":"Fraudsters Are Running a Malicious Advertising Campaign through Google Search"},"content":{"rendered":"

Malwarebytes, an information security company, has discovered a large malicious campaign that skillfully uses ads and Google search. A phishing campaign using Windows tech support is spreading through Google Ads.<\/h4>\n
What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar. The threat actors are abusing Google\u2019s<\/b> ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).Malwarebytes<\/b> experts write.<\/a><\/span><\/div><\/div>\n

Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites<\/a>, and also that Google Has Disabled Some of the Global Cache Servers in Russia<\/a>.<\/p>\n

When searched for “YouTube<\/b>“, the first ad contains the correct youtube.com URL and shows additional ads below the link.<\/p>\n

\"Malicious<\/p>\n

However, the link will take you to a Windows Defender tech support phishing page.<\/p>\n

The scam sites are located at the URLs “http:\/\/matkir[.]ml<\/i>” and “http:\/\/159.223.199[.]181\/<\/i>” and warns visitors that “Windows has been locked down due to questionable activity<\/i>” as well as that “Windows Defender detected a Trojan spyware called Ads.financetrack(2).dll<\/i>“.<\/p>\n

\"Malicious<\/p>\n

If the user is using a VPN, the site will redirect them to the official YouTube website. When calling the specified number, the “support specialist” offered to download and install TeamViewer<\/a><\/b> on the device. The scammer is likely using TeamViewer to take control of the victim’s computer in order to “fix” the bug.<\/p>\n

In most cases, the scammer will block the device or report that the computer is infected and you need to purchase a license for technical support. Currently, the malicious campaign is still ongoing in Google search. Google has not commented on this situation.<\/p>\n

The most popular search terms used for the campaign are:<\/p>\n

    \n
  1. YouTube;<\/li>\n
  2. Amazon;<\/li>\n
  3. Facebook;<\/li>\n
  4. Walmart.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    Malwarebytes, an information security company, has discovered a large malicious campaign that skillfully uses ads and Google search. A phishing campaign using Windows tech support is spreading through Google Ads. Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google […]<\/p>\n","protected":false},"author":3,"featured_media":9568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[32,58,231,218],"class_list":{"0":"post-9560","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-adware","9":"tag-google","10":"tag-malwarebytes","11":"tag-youtube"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/07\/Malicious-Campaign-through-Google-Search.png","author_info":{"display_name":"Vladimir Krasnogolovy","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/krasnogolovy\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=9560"}],"version-history":[{"count":5,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9560\/revisions"}],"predecessor-version":[{"id":9567,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/9560\/revisions\/9567"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/9568"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=9560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=9560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=9560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}