A Google Search YouTube advertisement that looks legitimate has been redirecting visitors to tech support scams. These scams are sending fake security alerts that pretend to be from Windows Defender.

An ongoing malvertising campaign

Researchers from Malwarebytes have disclosed a major ongoing malvertising campaign taking advantage of Google Ads.
  • While searching for YouTube-related keywords on Google, the first ad displayed in search results is named ‘YouTube.com - YouTube - Best of YouTube videos for You’ or ‘YouTube - Best of YouTube Videos’.
  • There is nothing suspicious in the ads, as it uses the correct youtube[.]com URL. Further, it displays additional advertising elements under the ad, making it more convincing.
  • However, this is a fake YouTube link, that leads the user to the tech support scam.

How does the scam work?

If a user clicks on the advertisement, the scam site will check if the user is using a VPN connection.
  • In case a user is using a VPN connection, it is sent to the genuine YouTube site.
  • However, if there is no VPN connection detected, the user is redirected to a tech support scam page.
  • The scam page cautions visitors that Windows was blocked due to suspicious activity and Windows Defender has spotted spyware named 'Ads[.]financetrack(2)[.]dll.'
  • In addition to the warning, the pages provide a number to contact the technical support team.

A tech support call

If a user calls the number listed on the scam site, they are connected to an overseas call center.
  • The technician on the call urges the user to download and install TeamViewer on their systems.
  • At this stage, in most cases, the scammers would lock the computer or tell users that their computer is infected and that they are required to purchase a support license.
  • Either way, the scam leads to an unwanted yet expensive support contract for the victim.


The ongoing malvertising campaign shows how easily attackers can create genuine-looking ads for popular services such as YouTube. Further, the attackers can often use these ads to spread malware or other types of attacks. Thus, it is always suggested to use a reliable anti-malware solution that blocks such malicious sites.
Cyware Publisher