Malvertising on Microsoft Edge's News Feed pushes tech support scams

    Malvertising on Microsoft Edge's News Feed pushes tech support scams

    Malvertising on Microsoft Edge's News Feed pushes tech support scams


    Posted: 15 Sep 2022
    While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.

    We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.

    In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.

    Overview

    The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.
    The redirection flow can be summarized in the diagram below:



    Technical details

    When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:

    document.location.replace('https:\/\/[scammer domain]\/{..}\/?utm_source=taboola&utm_medium=referral

    The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.



    An original version of this script can be found here, while a beautified version can be found here.

    The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.

    This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What's worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.



    These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.

    Infrastructure

    The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):

    • feedsonbudget[.]com
    • financialtrending[.]com
    • foddylearn[.]com
    • glamorousfeeds[.]com
    • globalnews[.]cloud
    • hardwarecloseout[.]com
    • humaantouch[.]com
    • mainlytrendy[.]com
    • manbrandsonline[.]com
    • polussuo[.]com
    • newsagent[.]quest
    • newsforward[.]quest
    • puppyandcats[.]online
    • thespeedoflite[.]com
    • tissatweb[.]us
    • trendingonfeed[.]com
    • viralonspot[.]com
    • weeklylive[.]info
    • everyavenuetravel[.]site

    One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:

    Registrant Email: sumitkalra1683@gmail[.]com

    That email address is associated with the following additional domains:

    • tissat[.]us
    • mvpconsultant[.]us
    • aksconsulting[.]us
    • furnitureshopone[.]us
    • minielectronic[.]in
    • antivirusphonenumber[.]org
    • quickbooktechnicalsupport[.]org
    • printertechnicahelp[.]com
    • comsecurityessentials[.]support
    • decfurnish[.]com
    • netsecurity-essential[.]com
    • mamsolutions[.]us
    • mamsolution[.]us
    • a-techsolutions[.]us

    The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is "Computer and related activities".

    Protection

    This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.



    The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.

    Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.


    Source: Malvertising on Microsoft Edge's News Feed pushes tech support scams
    Brink's Avatar Posted By: Brink
    15 Sep 2022



  1. Posts : 6,363
    Windows 7 Ultimate x64
       #1

    I said this here or on another tech forum. Bought and paid for Ads need to go through some kind of clearing house like VirusTotal before they're unleashed to the public and consumed.

    This Github page has up to date IOCs (Indicators of Compromise) that can be downloaded in CSV format from the month, week or day and the data can be massaged in Excel or Calc and Notepad++ then applied to uBlock Origin, Pi-hole, your own bought and paid for DNS resolver, pfSense, etc.

    Here's another resource on lists galore. Threat Intelligence covert.io

    Note:

    Many of the defanged domains listed above in the article are in that Github repository. Viewing that repository you can see the Twitter mentions... Here's an example of the foddylearn domain. https://twitter.com/MBThreatIntel/st...60073058766848

    The SHA256 (Pronounced shaw) can be looked up at VirusTotal and a deep dive of its relations and behaviors can be seen. Here's an example: VirusTotal VirusTotal doesn't use MD5 hashes.

    Tip:

    If you have an Amazon AWS S3 bucket you can use S3 Browser and create your own uBlock Origin list... S3 (Simple Storage Service) is literally pennies per fetch and whatnot. Amazon S3 Simple Storage Service Pricing - Amazon Web Services You can even host a static webpage and use CloudFlare for the CNAME. Attention Required! | Cloudflare

    Anyway, it's 99 days till Christmas and my list is ALWAYS HTML rendered and delivered via S3. LOL
    Last edited by F22 Simpilot; 17 Sep 2022 at 02:44.
      My Computer


  2. Posts : 42
    Windows 7 Pro x64
       #2

    This is one of the biggest threats that internet users face - not just from Edge's newsfeeds but from internet ads in general. Ad brokers assume no responsibility for source/content of the ads since it is usually based on a bidding system.

    This means two things:

    1) Ads are not vetted in any way before they are displayed on a particular website.
    2) You have no legal recourse if you unknowingly fall for malvertising and are infected with malware or lose money on some tech support scam.

    We are all familiar with the "We rely on ads to support this site". We are not familiar with "We're not responsible for ads displayed on this site and are not liable for any loss you may suffer as a result from clicking on ad. We just collect the check".

    No thanks. I block all ads. Period. Like unsolicited Email, they are an attack vector for miscreants.
      My Computer


  3. Posts : 49,060
    Windows 11 Workstation x64
       #3

    YmodemYNot said:
    No thanks. I block all ads.
    So how do you expect websites you visit (like ours) to fund themselves if you and everybody else are blocking their only revenue stream?
      My Computers


  4. Posts : 6,363
    Windows 7 Ultimate x64
       #4

    Detect the Ad blocker with JS and then if blocked initiate a crypto currency miner script. LOL!

    No, it's BS that there are some websites that do that. Better yet, if Ad block detected throw a popup somewhere about a donation.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 21:40.
Find Us