Taboola ads exploited to serve up tech support scams

As always, users need to be careful about what they click.

David bisson
David Bisson
@

Taboola ads exploited to serve up tech support scams

Criminals are exploiting users’ natural sense of curiosity with native advertisements to serve up tech support scam pages.

The malvertising campaign works by abusing Taboola ads on Microsoft’s MSN.com web portal. Taboola is one of the main providers of sponsored stories on news websites, typically appearing as “More stories from around the web” or “You may also like” promoted content.

But in this particular scam campaign clicking on a Taboola-sponsored article leads to a fake tech support page with the domain name 4vxadfcjdgbcmn[.]ga.

Taboola
Figure 1: Automatic redirection from click on promoted story to scam page

Jérôme Segura, a malware researcher at Malwarebytes, says the campaign uses repetition to scare unsuspecting users into compliance:

“The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”

Tech support scammers are known for exploiting bugs, impersonating ISPs, and using scare tactics to trick people. This native advertising technique, however, ranks among the more complex tech scammer ploys.

Sign up to our free newsletter.
Security news, advice, and tips.

To pull it off, the rogue advertiser has to basically build up a reputation for themselves. How do they do that? By creating a fake news site called Infinity Media that uses conditional redirects to return certain results based upon the profile of the user. In that way, they can use SEO-heavy stories as decoys to serve up whatever content they want.

News
Figure 3: Stories designed for click-bait. (Source: Malwarebytes)

That’s not even the end of it.

A WHOIS search of Infinity Media yields an email account, bhanutomar90nk@gmail[.]com, that’s responsible for having registered something called micro-soft-system-alert2[.]online. This resource, in turn, resolves to 108.167.146.132, where lots of different phishing sites, tech support pages, and similarly bogus news portals are hosted.

Connectingthedots
Figure 7: Connecting the fake news sites to the tech support domain. (Source: Malwarebytes)

Just in case it’s not already clear, Segura has the moral of the story for us:

“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.”

That goes especially for stories that are promoted. True, the content discovery network might be trustworthy. But you don’t know who’s creating the content and for what purpose.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Taboola ads exploited to serve up tech support scams”

  1. Michael Ponzani

    That's why I never click on those sites. They are big ads, basically. If I ever get those web pages I shut the computer down through my power strip, let it reboot and the problem generally goes away. Then I run my AV/malware programs and my computer is OK. I may not be OK, my computer is.

  2. David Lewis

    I will never understand why anyone would add taboola to their website. Don't they realize how damaging it is to their brand?! And are they really that desparate?!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.