Google users have been warned of a new malvertising campaign in which people searching for popular websites are instead redirected to scam sites by malicious adverts.
Searches for some of the most popular websites were found to produce adverts that had been crafted to appear as if they were legitimate links to the desired website, with some appearing as the first listing on a results page.
Websites mimicked by the threat actors include YouTube, Amazon, Facebook and Walmart, and in all cases appear to lead to a browser locker website where users are given scam warnings to call Microsoft support, or fake alerts from Windows Defender, according to researchers at Malwarebytes.
Malvertising, or the practice of hiding malware payloads behind online adverts, typically occurs on websites in more obvious ways, such as advertising that promises users free products or cash prizes.
In this case, however, researchers noted the sophistication of the campaign, with an example of a Facebook malvertising link containing no obvious discrepancies that might alert a user to its illegitimate nature.
However, because the malvertising uses Google Ads as its platform, it is still denoted as an advert with bold text in the top-left corner reading ‘Ad’. This allows discerning users to at least identify that it is not a direct link to the website they were searching for, although this still does not reveal its malicious nature.
Researchers also noted that the redirect mechanism used by the threat actors is complex enough to make it difficult to ascertain where the advert will send would-be victims through HTML analysis.
Upon clicking on the advert, the page the user is sent to will either redirect to the legitimate website as a ‘decoy’, or load a secondary script where the malicious URL is found.
This is then loaded within an inline frame, an HTML element that loads a page within another. This has the effect of replacing the page with the scam element, but the user is not actually redirected a second time.
In this way, the URL of the malicious browser locker page is hidden from the user, who only sees the interim of the .com ‘cloaking domain’ (in the case of Malwarebytes Labs, this was named ‘shopmealy’).
The fact that the adverts are listed on the search results before even some of the most popular websites in the world implies that the threat actors are willing to pay money in order to perpetrate the scam, which would be necessary in order to target keywords of such popularity.
RELATED RESOURCE
The Total Economic Impact™ of IBM Security MaaS360 with Watson
Cost savings and business benefits enabled by MaaS360
Moreover, researchers found that the threat actors had separated the flows of the cloak and browser locker to prevent being taken down by authorities holistically, and used a mixture of expensive and free domains. The infrastructure of the malvertising also appears to have been hosted on both paid virtual private servers and free cloud providers (PaaS).
“Google's proprietary technology and malware detection tools are used to regularly scan all creatives,” reads the Google support page on malware in advertising.
“Fourth-party calls or sub-syndication to any uncertified advertisers or vendors are forbidden. Any ad distributing malware is pulled to protect users from harm. Any Authorized buyer whose creative is found to contain malware is subject to a minimum three-month suspension.”
Malwarebytes Labs have stated that all necessary reports have been filed to notify Google of the adverts, and researchers reported every such advert under the label ‘An ad/listing violates other Google Ads policies’.
IT Pro has contacted Google for comment.
-
Dell Technologies Global Partner Summit 2025 – all the news and updates live from Las VegasKeep up to date with all the news and announcements from the annual Dell Technologies Global Partner Summit in Las Vegas
-
Jensen Huang joins Dell Technologies World virtually to talk servers and AI factoriesNvidia CEO virtually joined Michael Dell for the opening keynote of the 2025 conference to talk through a host of AI and server announcements
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to knowNews Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
