What's worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block. This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert. The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.Īn original version of this script can be found here, while a beautified version can be found here. The server will respond with the next URL to load, with the folling format: ('https:\/\/\/\/?utm_source=taboola&utm_medium=referral When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API () to honor the click on the ad banner.
The redirection flow can be summarized in the diagram below: We have identified several ads that are malicious and redirect unsupecting users to tech support scams. The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories. We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters. While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users.
0 kommentar(er)
