Malvertising Via Google AdWords Leads to Fake BSOD

Malvertising Via Google AdWords Leads to Fake BSOD

One of the major goals for any online business is to attract as many visitors as possible to their websites in order to generate more revenues.

This is typically where advertising comes into play, by helping companies to reach the right audience and converting those clicks and visits into actual sales.

Sadly, fraudulent businesses also use online advertising as a way to reel in potential victims. This is nothing new and we have seen many examples of targeted keywords on search engine results before.

Many times these rogue advertisers will abuse legitimate brands to trick people and provide services on behalf of these companies. Beyond copyright infringement laws, there is also the almost always present social engineering aspect that follows, to con people into spending hundreds of dollars for no good reason.

And then you have advertisers that aren’t shy about doing their dirty deed at all. Take for example this recent campaign we spotted on AdWords, Google’s largest online advertising service.


Here the crooks bid on the “youtube” keyword and got their ads displayed way at the top, before the organic search results. The choice of keyword is probably not random and given its popularity it would ensure a maximum number of people would see it:


What’s interesting in this case is that the supposed destination URL is the actual site itself, and even placing the mouse over the ad shows a link to a YouTube channel.

This really makes it look like a click on the link would take you directly to YouTube but unfortunately that was not the case.


Clicking on either one of the ads leads to a scary and convincing looking web page with the infamous “Blue Screen of Death”.The BSOD is a popular theme as of late and an effective way to display bogus but legitimate error codes that would trouble many internet users.

As with most similar scam pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all however; con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages.

Innocent and unsavvy computer users will be defrauded from anywhere between $199 to $599. However, many online crooks don’t stop here, often committing identity theft and trying to empty out their victims’ bank accounts.


The actors behind this particular malvertising attack had registered (at least) two domains to perform the illicit redirection from the Google advert to the BSOD page:

  • hxxp://{redacted}&adurl=
  • hxxp://{redacted}&adurl=

Both of these domains are hosted on IP address where the rest of the fraudulent sites also reside:  


We reported this campaign to Google and the bogus ads were pulled right away. The best defense against tech support scams (in all their forms) is awareness. For more information on this topic, please check out our help page.


Jérôme Segura

Principal Threat Researcher