Hackers hiding malicious links in top Google search results, researchers warn
Malicious adverts made to resemble links to websites are targeting some of the world’s most popular websites
Google users have been warned of a new malvertising campaign in which people searching for popular websites are instead redirected to scam sites by malicious adverts.
Searches for some of the most popular websites were found to produce adverts that had been crafted to appear as if they were legitimate links to the desired website, with some appearing as the first listing on a results page.
Websites mimicked by the threat actors include YouTube, Amazon, Facebook and Walmart, and in all cases appear to lead to a browser locker website where users are given scam warnings to call Microsoft support, or fake alerts from Windows Defender, according to researchers at Malwarebytes.
Malvertising, or the practice of hiding malware payloads behind online adverts, typically occurs on websites in more obvious ways, such as advertising that promises users free products or cash prizes.
In this case, however, researchers noted the sophistication of the campaign, with an example of a Facebook malvertising link containing no obvious discrepancies that might alert a user to its illegitimate nature.
However, because the malvertising uses Google Ads as its platform, it is still denoted as an advert with bold text in the top-left corner reading ‘Ad’. This allows discerning users to at least identify that it is not a direct link to the website they were searching for, although this still does not reveal its malicious nature.
Researchers also noted that the redirect mechanism used by the threat actors is complex enough to make it difficult to ascertain where the advert will send would-be victims through HTML analysis.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Upon clicking on the advert, the page the user is sent to will either redirect to the legitimate website as a ‘decoy’, or load a secondary script where the malicious URL is found.
This is then loaded within an inline frame, an HTML element that loads a page within another. This has the effect of replacing the page with the scam element, but the user is not actually redirected a second time.
In this way, the URL of the malicious browser locker page is hidden from the user, who only sees the interim of the .com ‘cloaking domain’ (in the case of Malwarebytes Labs, this was named ‘shopmealy’).
The fact that the adverts are listed on the search results before even some of the most popular websites in the world implies that the threat actors are willing to pay money in order to perpetrate the scam, which would be necessary in order to target keywords of such popularity.
RELATED RESOURCE
The Total Economic Impact™ of IBM Security MaaS360 with Watson
Cost savings and business benefits enabled by MaaS360
Moreover, researchers found that the threat actors had separated the flows of the cloak and browser locker to prevent being taken down by authorities holistically, and used a mixture of expensive and free domains. The infrastructure of the malvertising also appears to have been hosted on both paid virtual private servers and free cloud providers (PaaS).
“Google's proprietary technology and malware detection tools are used to regularly scan all creatives,” reads the Google support page on malware in advertising.
“Fourth-party calls or sub-syndication to any uncertified advertisers or vendors are forbidden. Any ad distributing malware is pulled to protect users from harm. Any Authorized buyer whose creative is found to contain malware is subject to a minimum three-month suspension.”
Malwarebytes Labs have stated that all necessary reports have been filed to notify Google of the adverts, and researchers reported every such advert under the label ‘An ad/listing violates other Google Ads policies’.
IT Pro has contacted Google for comment.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
Jitterbit eyes global growth under new CRO Chris StoddardNews The former New Relic executive will lead the vendor’s worldwide go-to-market strategy and revenue growth plans
-
This one cyber crime group accounted for nearly a fifth of all ransomware attacks in JuneNews The Gentlemen, a ransomware a service operator, now accounts for 17% of published attacks
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point