On Thursday, Bitdefender researchers exposed a sophisticated scam exploiting Google, YouTube, and Meta, advertising systems to distribute malware through legitimate trading platforms’ impersonation, hacking verified business accounts to bypass security checks to target consumers and creators, calling attention on the lack of social engineering prevention.
The researchers revealed the campaign uses unlisted YouTube videos – gathering over 182,000 views – to deliver credential-stealing social engineering types of attack malware to intercept traffic, harvest passwords, and maintain persistence on infected devices.
“The scam now affects YouTube and Google Ads, using a variety of strategies to bypass both automated and manual checks, and to broaden its pool of potential victims,” Bitdefender researcher, Alin Moloce, explained how the risks and mitigation of social engineering attacks campaign had moved well beyond Facebook ads.
The social engineering pentesting operation lures victims with ads promising “free access” to premium financial tools like TradingView. Instead of linking to legitimate platforms, users are redirected to malware-infected downloads.
Scammers were found by researchers to have taken control of a Google advertiser account belonging to a Norwegian design company and taken over an authenticated YouTube channel for them to realistically impersonate TradingView.
Deception of reverse social engineering indicators were subtly altered handles of the channel, absent initial content, and suspiciously low view counts. But one ad video still managed to get over 182,000 views within days. The videos were unlisted, hidden from public searches but accessible via direct ad links, so platforms had trouble finding them.
https://www.youtube.com/watch?v=Fi4kzL5LOO8
Malware Characteristics and Business Risks
The social engineering red flags malware employs advanced evasion techniques, including large file sizes, anti-sandbox measures, and multiple encryption layers, all while deploying behavioral tracking pixels to profile their victims. Bitdefender found the downloader file exceeded 700 MB.
Upon installation, it could steal cookies, passwords, and cryptocurrency wallet data, track keystrokes, capture network traffic, and even snapshot screenshots showing that there was no social engineering prevention.
Threat actors installed tracking scripts like Facebook Pixel and Google Ads Conversion Tracking in the malware, tailoring campaigns while keeping risks of detection low. The malware also had macOS and Android versions, expanding the potential victims.
Business accounts were especially at risk.
When hijacked, attackers wiped content and rebranded channels to resemble trusted financial services. “This can rapidly cascade to compromise a connected YouTube channel,” researchers noted, enabling scammers to use reputable infrastructure for fraudulent promotions.
Global and Social Engineering Prevention
With over 500 associated domains and expanding variants for macOS and Android, the campaign exposed ad-based attacks and the fundamental need for multi-factor authentication (MFA) to deliver heightened user vigilance against “free premium” offers.
Thousands of fake Facebook accounts were also affiliated with the infrastructure, pointing toward an orchestrated, global effort.
The users are advised to be cautious of free premium trading software advertisements, not download from other sources, and check information such as channel handles and subscriber count. The authors are advised to activate multi-factor authentication, audit account privileges, and monitor for abrupt changes in branding.
The report concludes that the campaign shows how impersonation and ad-based distribution are becoming more advanced.
“Scam awareness remains important,” Bitdefender emphasized, warning that such operations will continue to adapt as platforms tighten security controls.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.