Google ads logo and money showing malvertising campaing for Windows support scam

Windows Support Scam Targets Users in a Google Ads Malvertising Campaign

Cybersecurity firm Malwarebytes discovered a malvertising campaign exploiting Google Ads to redirect users to Windows support scam sites.

The attackers display fake alerts from Windows Defender requesting visitors to contact Microsoft support agents after searching certain popular keywords.

Malwarebytes described the campaign as spectacular because it exploits a typical browsing behavior of searching a website by name instead of typing the URL on the browser’s address bar.

For example, when someone intends to watch youtube videos, they search “youtube” instead of typing “youtube.com” on the browser’s address bar.

The threat actors capitalize on this behavior and display realistic ads matching users’ expectations but redirecting them to malicious websites.

Malwarebytes: Example of malvertising scam
Source: Malwarebytes

Google Ads malvertising campaign uses cloaking techniques for tech support fraud

The threat actors redirect users to different content depending on their UserAgent and IP information.

They check the validity of the browser string and IP address to determine the legitimacy of the target and evade web crawlers, bots, and VPN users.

This strategy allows the scammers to submit legitimate content for review but load different content to actual users. Google considers this behavior a violation of “Google Webmaster Guidelines.”

If the scammers determine that a visitor is a real person, they redirect them to pages with tech support scams. Otherwise, they redirect them to the legitimate content. They redirect their targets several times before landing them on the fake support page.

The first redirect is to a cloaking domain that determines whether to redirect the visitor to the malicious Windows support scam pages or the legitimate content.

On target acquisition, the second redirect is to a browser locker that loads malicious content on an iframe from a disposable CloudFront URL. Malwarebytes warned that removing individual URLs would not disrupt the malvertising campaign.

The iframe occupies 100% width and height of the page and displays a security alert from Windows Defender. The iframe also hides the suspicious URLs, so the user only sees the more common ‘.com’ domains.

Besides the redirection and cloaking mechanism, the malvertising campaign bears the hallmarks of a typical Windows support scam.

Users are connected to an overseas tech support center after calling the support numbers listed on the malicious website.

The threat actors behind the malvertising campaign request their targets to download remote administration tools such as TeamViewer.

Windows support scam has affected many internet users

Malwarebytes predicts that the Windows support scam malvertising campaign has affected many internet users.

The cybersecurity firm based its assessment on the use of popular keywords and typos. The Windows support scam malvertising campaign targets popular websites such as Amazon, Facebook, Walmart, and YouTube, searched by millions of people daily.

Given an average of 5.6 billion Google searches per day, the Google Ads Windows support scam malvertising campaign has likely maxed out.

Additionally, the researchers can replay the malvertising chains multiple times, which is usually impossible with such campaigns.

Similarly, the Google Ads displayed in the malvertising campaign are too realistic to raise any suspicion. They also display the correct URL and typical elements users expect from the website they intend to visit.

The strategic placement of Google Ads makes users more likely to click them than scroll down for the direct link. Some of the Google Ads appear before those of the legitimate websites.

According to Malwarebytes, most users click on the first search result, whether paid promotion or organic.

Malwarebytes reported the implicated Google Ads for violating the advertiser’s policies. Additionally, the company listed indicators of compromise associated with the Windows support scam malvertising campaign.