Criminals are exploiting users’ natural sense of curiosity with native advertisements to serve up tech support scam pages.
The malvertising campaign works by abusing Taboola ads on Microsoft’s MSN.com web portal. Taboola is one of the main providers of sponsored stories on news websites, typically appearing as “More stories from around the web” or “You may also like” promoted content.
But in this particular scam campaign clicking on a Taboola-sponsored article leads to a fake tech support page with the domain name 4vxadfcjdgbcmn[.]ga.
Jérôme Segura, a malware researcher at Malwarebytes, says the campaign uses repetition to scare unsuspecting users into compliance:
“The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”
Tech support scammers are known for exploiting bugs, impersonating ISPs, and using scare tactics to trick people. This native advertising technique, however, ranks among the more complex tech scammer ploys.
To pull it off, the rogue advertiser has to basically build up a reputation for themselves. How do they do that? By creating a fake news site called Infinity Media that uses conditional redirects to return certain results based upon the profile of the user. In that way, they can use SEO-heavy stories as decoys to serve up whatever content they want.
That’s not even the end of it.
A WHOIS search of Infinity Media yields an email account, [email protected][.]com, that’s responsible for having registered something called micro-soft-system-alert2[.]online. This resource, in turn, resolves to 22.214.171.124, where lots of different phishing sites, tech support pages, and similarly bogus news portals are hosted.
Just in case it’s not already clear, Segura has the moral of the story for us:
“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.”
That goes especially for stories that are promoted. True, the content discovery network might be trustworthy. But you don’t know who’s creating the content and for what purpose.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Taboola ads exploited to serve up tech support scams”
That's why I never click on those sites. They are big ads, basically. If I ever get those web pages I shut the computer down through my power strip, let it reboot and the problem generally goes away. Then I run my AV/malware programs and my computer is OK. I may not be OK, my computer is.
I will never understand why anyone would add taboola to their website. Don't they realize how damaging it is to their brand?! And are they really that desparate?!