Sneaky Amazon Google ad leads to Microsoft support scam


A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser.

Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results.

The advertisement shows Amazon’s legitimate URL, just like in the company’s typical search result, as shown below.

Fake Amazon ad in Google search results
Fake Amazon ad in Google search results
Source: BleepingComputer

However, clicking on the Google ad will redirect the person to a tech support scam pretending to be an alert from Microsoft Defender stating that you are infected with the ads(exe).finacetrack(2).dll malware.

Tech support scam from fake Amazon ad
Tech support scam from fake Amazon ad
Source: BleepingComputer

These tech support scams will automatically go into full-screen mode, making it hard to get out of the page without terminating the Google Chrome process.

However, when Chrome is terminated in this way, on the relaunch, it will prompt users to restore the previously closed pages, reopening the tech support scam.

A demonstration of today’s fake Amazon Google ad leading to the tech support scam site can be seen below.

In June 2022, Malwarebytes discovered a legitimate-looking YouTube ad that also used the platform’s URL, leading to the same tech support scam.

It’s unclear why Google allows advertisers to impersonate other companies’ URLs to create these convincing advertisement scams.

Google ads abused to distribute malware

BleepingComputer reached out to both Google and Amazon regarding this malvertising but has not received a response at the time of this publication.

Google advertisements have been heavily abused over the past year by other threat actors to distribute malware, which sometimes leads to ransomware attacks.

The threat actors would create replicas of legitimate sites but swap the download links to distribute trojanized programs that install malware.

The Royal ransomware operation also creates Google advertisements promoting malicious sites that install Cobalt Strike beacons. These beacons are used to provide initial access to corporate networks to conduct ransomware attacks.



Source link