Malvertising Via Google AdWords Leads to Fake BSOD

Malvertising Via Google AdWords Leads to Fake BSOD

One of the major goals for any online business is to attract as many visitors as possible to their websites in order to generate more revenues.

This is typically where advertising comes into play, by helping companies to reach the right audience and converting those clicks and visits into actual sales.

Sadly, fraudulent businesses also use online advertising as a way to reel in potential victims. This is nothing new and we have seen many examples of targeted keywords on search engine results before.

Many times these rogue advertisers will abuse legitimate brands to trick people and provide services on behalf of these companies. Beyond copyright infringement laws, there is also the almost always present social engineering aspect that follows, to con people into spending hundreds of dollars for no good reason.

And then you have advertisers that aren’t shy about doing their dirty deed at all. Take for example this recent campaign we spotted on AdWords, Google’s largest online advertising service.

youtube_search

Here the crooks bid on the “youtube” keyword and got their ads displayed way at the top, before the organic search results. The choice of keyword is probably not random and given its popularity it would ensure a maximum number of people would see it:

keyword

What’s interesting in this case is that the supposed destination URL is the actual YouTube.com site itself, and even placing the mouse over the ad shows a link to a YouTube channel.

This really makes it look like a click on the link would take you directly to YouTube but unfortunately that was not the case.

flow2

Clicking on either one of the ads leads to a scary and convincing looking web page with the infamous “Blue Screen of Death”.The BSOD is a popular theme as of late and an effective way to display bogus but legitimate error codes that would trouble many internet users.

As with most similar scam pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all however; con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages.

Innocent and unsavvy computer users will be defrauded from anywhere between $199 to $599. However, many online crooks don’t stop here, often committing identity theft and trying to empty out their victims’ bank accounts.

BSODandpopup

The actors behind this particular malvertising attack had registered (at least) two domains to perform the illicit redirection from the Google advert to the BSOD page:

  • hxxp://www.google.com/aclk?sa=L&ai={redacted}&adurl=http://www.humhama.in/hm.php
  • hxxp://www.google.com/aclk?sa=L&ai={redacted}&adurl=http://www.fahid.in/lp.php

Both of these domains are hosted on IP address 166.62.28.107 where the rest of the fraudulent sites also reside:

antivirus-security365.com mac-pc-update.us operating-system-alert.us
appleonlinesupport.us mac-protection-care.info protectsystem-alert.us
backup-my-pc.com mac-securities-alert.info quickhelpsupport.net
Computererror.net mac-securities-care.info techcaresolution.com
computer-infected.com mac-securities-error-alert.info techies24x7.net
computer-warning.net mac-securities-help.info technical-error.com
computer-windows.com mac-securities-solutions.info windows-computer.com
computer-windows-error.com mac-securities-warning.info windowsvirus.com
download-upgrade-faliure.com Malware-attack.com windowsystemerror.com
go4support24x7.com microsoft-error.com www.apple-id.d-app.org
ioserroralerts.com microsofttechsupport.net  
mac-online-help.info microsoftwww.info  

 

We reported this campaign to Google and the bogus ads were pulled right away. The best defense against tech support scams (in all their forms) is awareness. For more information on this topic, please check out our help page.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher