Nasty new YouTube scam could land you in hot water

MacBook Pro open on a desk with YouTube logo on the screen
(Image credit: Alexey Boldin /

A nasty new malware campaign has been identified, abusing Google’s advertising system to lay the foundations for all manner of cyberattacks.

Earlier this week, cybersecurity researchers from Malwarebytes discovered that unknown threat actors had bought an ad that is displayed on top of Google’s search engine results pages whenever someone types the keyword “YouTube”, or other relevant keywords.

The particularly nasty part is that it is impossible to distinguish the fake ad from a legitimate example. It features a genuine link ( and comes with all of the usual advertising elements. In other words, even the most careful among us could be forgiven for falling for the scam.

Questionable activity

The red flags appear only after the link has been clicked. Instead of redirecting the victim to YouTube, the link leads them to a fake Windows Defender site, with a popup saying the computer is infected with a trojan. The pop-up states that the victim should call Windows Defender tech support immediately, or face a “complete malfunction” of their endpoint.

BleepingComputer called the number provided on the screen, and was connected to an overseas call center where a “support technician” asked them to download and run remote desktop software TeamViewer. The publication did not pursue the scam further, as it’s safe to assume that the fraudsters would use access to the computer to install some type of ransomware or similar device-locking malware. 

In all likelihood, they would then proceed to demand payment for a “premium service” or something else, in exchange for getting their device back. 

While we were unable to independently verify if the campaign is still active, Malwarebytes’ latest tweet would suggest it is. 

The easiest way to avoid the scam, it was said, is to have a VPN service running. The fake site will scan the device for any VPNs, and if it finds one, will redirect the device to the legitimate YouTube site.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.