Criminals are exploiting users’ natural sense of curiosity with native advertisements to serve up tech support scam pages.
The malvertising campaign works by abusing Taboola ads on Microsoft’s MSN.com web portal. Taboola is one of the main providers of sponsored stories on news websites, typically appearing as “More stories from around the web” or “You may also like” promoted content.
But in this particular scam campaign clicking on a Taboola-sponsored article leads to a fake tech support page with the domain name 4vxadfcjdgbcmn[.]ga.
Jérôme Segura, a malware researcher at Malwarebytes, says the campaign uses repetition to scare unsuspecting users into compliance:
“The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”
Tech support scammers are known for exploiting bugs, impersonating ISPs, and using scare tactics to trick people. This native advertising technique, however, ranks among the more complex tech scammer ploys.
To pull it off, the rogue advertiser has to basically build up a reputation for themselves. How do they do that? By creating a fake news site called Infinity Media that uses conditional redirects to return certain results based upon the profile of the user. In that way, they can use SEO-heavy stories as decoys to serve up whatever content they want.
That’s not even the end of it.
A WHOIS search of Infinity Media yields an email account, [email protected][.]com, that’s responsible for having registered something called micro-soft-system-alert2[.]online. This resource, in turn, resolves to 220.127.116.11, where lots of different phishing sites, tech support pages, and similarly bogus news portals are hosted.
Just in case it’s not already clear, Segura has the moral of the story for us:
“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.”
That goes especially for stories that are promoted. True, the content discovery network might be trustworthy. But you don’t know who’s creating the content and for what purpose.