Sneaky Amazon Google ad leads to Microsoft support scam

Cyber Security Threat Summary:
A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results. The advertisement shows Amazon's legitimate URL, just like in the company's typical search result. However, clicking on the Google ad will redirect the person to a tech support scam pretending to be an alert from Microsoft Defender stating that you are infected with the ads(exe).finacetrack(2).dll malware. These tech support scams will automatically go into full-screen mode, making it hard to get out of the page without terminating the Google Chrome process. However, when Chrome is terminated in this way, on the relaunch, it will prompt users to restore the previously closed pages, reopening the tech support scam (Bleeping Computer, 2023).

Security Officer Comments:
In the past couple of years, Google advertisements have been a popular tactic employed by threat actors to distribute their payloads. To lure users in, threat actors have commonly created fake sites pretending to offer legitimate software. Ransomware groups like Royal are one of the several groups to leverage these ads to infect unsuspecting users. In the past, this group has created advertisements promoting malicious sites hosting Cobalt Strike beacons, enabling the actors to gain initial access to corporate networks and conduct various extortion schemes.

Suggested Correction(s):
In general, users should avoid clicking on sponsored ads that appear at the top of Google search results as threat actors can easily purchase these ads to promote malicious payloads. With the latest campaign abusing full-screen mode, this makes it challenging to determine if the pop-up being displayed is a legitimate Windows Defender notification. However, given that Microsoft will never ask you to call them, prompts like these should be considered a red flag and avoided at all costs.

Link(s):
https://www.bleepingcomputer.com/